528ec30c1172f926ce3db1766731fd5b97f819f8f83727e7baefb9ddfb571649

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
Size

5.5MB
MD5

62ac857cfe6bb07ce2d401c537537bf0
SHA1

d82196700c77d3f4c5cf55552c51cdb9b49dde4c
SHA256

528ec30c1172f926ce3db1766731fd5b97f819f8f83727e7baefb9ddfb571649
SHA512

f39ec102e9a61fc86081195dc270f2506b16f366739f5b0bbd27bd57240adaec82974910d0028196a381e0298605c084661ae0f206ea5d76ee7c48a98acda9a7
SSDEEP

98304:VAI5pAdVen9tbnR1VgBVmHRVlbnP9WXW7H6C:VAsCc7XYOHBVH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3068	alg.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
4704	fxssvc.exe
2144	elevation_service.exe
2244	elevation_service.exe
3092	maintenanceservice.exe
3476	msdtc.exe
3260	OSE.EXE
2968	PerceptionSimulationService.exe
4656	perfhost.exe
3424	locator.exe
3384	SensorDataService.exe
2504	snmptrap.exe
4848	spectrum.exe
1140	ssh-agent.exe
4144	TieringEngineService.exe
4804	AgentService.exe
2932	vds.exe
4012	vssvc.exe
4364	wbengine.exe
1116	WmiApSrv.exe
408	SearchIndexer.exe
5244	chrmstp.exe
5256	chrmstp.exe
4536	chrmstp.exe
396	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\aee31e5bb5459c0.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\java.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019fd641634b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f593fd1634b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f727a1634b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045a8f11634b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133613976196134042"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009648b11634b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b82cb1634b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2276	chrome.exe
2276	chrome.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
4320	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
2276	chrome.exe
2276	chrome.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
5500	chrome.exe
5500	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2796	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
Token: SeAuditPrivilege	4704	fxssvc.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeRestorePrivilege	4144	TieringEngineService.exe
Token: SeManageVolumePrivilege	4144	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4804	AgentService.exe
Token: SeBackupPrivilege	4012	vssvc.exe
Token: SeRestorePrivilege	4012	vssvc.exe
Token: SeAuditPrivilege	4012	vssvc.exe
Token: SeBackupPrivilege	4364	wbengine.exe
Token: SeRestorePrivilege	4364	wbengine.exe
Token: SeSecurityPrivilege	4364	wbengine.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: 33	408	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
4536	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 4320	2796	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe	81
PID 2796 wrote to memory of 4320	2796	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe	81
PID 2796 wrote to memory of 2276	2796	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe	82
PID 2796 wrote to memory of 2276	2796	2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe	82
PID 2276 wrote to memory of 1564	2276	chrome.exe	83
PID 2276 wrote to memory of 1564	2276	chrome.exe	83
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 4460	2276	chrome.exe	90
PID 2276 wrote to memory of 1628	2276	chrome.exe	91
PID 2276 wrote to memory of 1628	2276	chrome.exe	91
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92
PID 2276 wrote to memory of 4984	2276	chrome.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-28_62ac857cfe6bb07ce2d401c537537bf0_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff844ffab58,0x7ff844ffab68,0x7ff844ffab78
    3⤵
    PID:1564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1928,i,13784563572739735232,6798508951034654870,131072 /prefetch:2
    3⤵
    PID:4460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1928,i,13784563572739735232,6798508951034654870,131072 /prefetch:8
    3⤵
    PID:1628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1928,i,13784563572739735232,6798508951034654870,131072 /prefetch:8
    3⤵
    PID:4984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1928,i,13784563572739735232,6798508951034654870,131072 /prefetch:1
    3⤵
    PID:4904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1928,i,13784563572739735232,6798508951034654870,131072 /prefetch:1
    3⤵
    PID:1772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4288 --field-trial-handle=1928,i,13784563572739735232,6798508951034654870,131072 /prefetch:1
    3⤵
    PID:1608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4452 --field-trial-handle=1928,i,13784563572739735232,6798508951034654870,131072 /prefetch:8
    3⤵
    PID:432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3912 --field-trial-handle=1928,i,13784563572739735232,6798508951034654870,131072 /prefetch:8
    3⤵
    PID:4108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1928,i,13784563572739735232,6798508951034654870,131072 /prefetch:8
    3⤵
    PID:6072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4708 --field-trial-handle=1928,i,13784563572739735232,6798508951034654870,131072 /prefetch:8
    3⤵
    PID:3496
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5244
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5256
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:4536
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1928,i,13784563572739735232,6798508951034654870,131072 /prefetch:8
    3⤵
    PID:5736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1928,i,13784563572739735232,6798508951034654870,131072 /prefetch:8
    3⤵
    PID:3652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1928,i,13784563572739735232,6798508951034654870,131072 /prefetch:8
    3⤵
    PID:2728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1928,i,13784563572739735232,6798508951034654870,131072 /prefetch:8
    3⤵
    PID:5796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3904 --field-trial-handle=1928,i,13784563572739735232,6798508951034654870,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5500

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4896

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2144

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2244

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3092

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3476

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3260

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4656

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3424

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3384

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4848

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1140

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4844

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1116

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:408
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5764
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e0d208a2d57dc1b07e18bd89940698eb

SHA1
63af208c4bc441469730b18ad5f8689dbc7de34e

SHA256
9e4dd27c93b3824ea16188218294f9618b9b5d79ecc6d0adfcaf249d7cdc7cfd

SHA512
dbf3257c80c166695ac755ebc42aaedd5f49a16734419daa4c712698461830df80dc89fd5fb264d76257ca15b781840725d39f2541eb840535e68d6311862964

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
d6d6dcabaf613c12a8561f2c2b5c7387

SHA1
a45f0172bd8af813ded76244068ecd89a7feef7b

SHA256
7a63085c077eb6282003cab4cbe904b6d4a9487497e4a8ac89a5ef92b1e19495

SHA512
9523f880ab262b7a480f88113983c537e9aca60f0fa7c8b9356abef743722dcb75218b343779956c0c0db36353924cccb2d006c2d1685430819944092f3ec947

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d7e518a2ff6844992998c027632f524b

SHA1
715304aa17316ed28ffd6a9a6fdc59432f71dd15

SHA256
18be426bb707743526a920a0b55ac426445d2ffaf2c33b22f4add45d400f05d3

SHA512
658052d7a89d1ca9ce50609b5d9b4a8d84f962de742f1caa90cc7d5b43d49531968d3f744b2f7a327e05befff9d0b5e0a5bc6ce4af45a77888bd011d757a9e20

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8975b5f2ec02a283a3e900e533981d93

SHA1
f02bb170447b5a2344c042c5c86452dca9174c0e

SHA256
698e10c4ed8de67265ff8b671aa47fa4a4971a57f942cb2602d62e3a5b44e650

SHA512
0cfcd8751e8fb1fe394468856f0629c593106c50d71b958853130e33a5230c57aedb038ee9d8a7adbc9eddeb9cdb1ca6043ed75c57b07b2963e7041f5c6849b9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
104a0be7945ddce433957c0679345043

SHA1
8cc529d62ec659cfca5884a8b3eb4a0e4beb6e43

SHA256
02b4a6f82ca84ac2ec793e957340da215ab194f1d77bd1e2b02904b3d7c66ef0

SHA512
7f4a449502a031123ff9bb1a3283c583af21dd9dc687bc7f9ffdb7ec39751e60353c732b92a6ed91c157bdc065abff2c72dfb5bf71b3ecbc5781583d74abfc28

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
0d480870825d486686672e140d0d9f4a

SHA1
252975c4a9babfc1b1bff3aad155899b0f7fc736

SHA256
7fefb1d74d99f2363c4b649c17f5be8c4f2ee961959823fb822603c53b07bc93

SHA512
0551f68cb2d78487a1623fe24cdecd01bf48271f790dc83c87f73cb557ee6db52fc6766b6a1765f4d0b3f62867bf1dd5cab1ee3af20964f5b23faac216515516

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5a3b199c1ab045ad108015d45f86d5ae

SHA1
0e04d124b991ce367569936fd4eaf1bb7d0b3610

SHA256
55947442544ac5e99a1898834e4151b59ae29abf00cc053e841d6e78b93d3624

SHA512
cfecfde5673e94dbbff45057e49e25024322f405f38a1d69e5b636080d355735d11e63363de55bae8c604b252088db39b6e1d0efa2155d76a03744351dbcad06

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
00d10f2d483da6cfd3476c0da3939261

SHA1
55a9a543c6125a71f8f987fb7f5506f59026b69e

SHA256
19432bee8176a59963a4e19b513542f8afd2c4b4b74b82efe3858017a5b6f2a4

SHA512
0349c98ba66391f7b1531e413400eaf8648ddb1d3d9f9025c346be64902ce74f552d1aa2b20bdb9dc761832e09d2743d48d1e8bd5ee5816822f8ca344d8da523

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b4b55532d6269127986b0f6a8902c9b6

SHA1
d3450d14c307ec0cc417cf286ba244ce50084d73

SHA256
fa3c5d12394e6bfc3229a2ee107db9399f5dfb457f2ebc4c89c48bd3a7e516fa

SHA512
d9e047887d98c5c5270ab46b8e1c01b6e309e4de72fb23ffc0f31af796071c99413aa4ad256066950ae1e1cf79240ccf6f9e635b93b7ae1ac40e9923c00a1480

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
295b938f9e918d8b8f9ac825858ac24c

SHA1
683c509ff102d6e6af160d4f1e6325ee0b8153f5

SHA256
c4aab2ddc2ddca016fe8a26410fec8129e51dd70399535c4eea756895beb01a7

SHA512
53cc7d84ca9ef273950b6570acfd391a0ab99573add78bf74f57187bcc53b49b0eff9e0e2c1251534d11d43a127a9f370e137b5d0716fc6ea4dc46a04fcec800

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f704f75c21aa0351d3a0d32250830f10

SHA1
f00ca01666a34b6f2991e6f2e7c8c52a47d4b5d0

SHA256
09fb6f1978de8ed69801c9167381e9a00b00166fd7b5ba3b4266e0af9c1dd74b

SHA512
447345c495a39807ddd758f463e3a6995a6650229e280b7a57e73f743660a65e617b0b9a91382b866d121b3e84cfc2b92637dffa47b35dea3147f5ff10938444

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4d262dd2a36349b05fbe0872e9ade001

SHA1
37f71577c5fd0a876e4c754502152b8a24e66594

SHA256
3e93c9e38e77d0a9b6fe1fab3118b1578e006c2cc34c22dcda9672d0f733996a

SHA512
7c1932b609f6c8a6bcb572e1b2d0c4d75204e8b3321f6fddde7f3d9c5da624bb4cb443af84a326b8ef5146a7d3c68d333a71dfe22107be9e957092c897b4ef36

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
11ed72326f64903b3c91042a7a335dd3

SHA1
c8a49b3ed4231a2143c0b0cd0ae1066fdc3e36f8

SHA256
1fc7d81652604348fde2f77eed35041ad222efd89a1fea83cd75ded0321cde0b

SHA512
dfb711bd8a10e43c11e5d111ab66a852fd5b00e6acae137f4ae2ebaa974ceb75ceac9e9e2711f441a25109113cb04f08039737b711bf96ddb04b5f9e9b1d364a

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\a495efbc-25be-40c5-8ea3-406432fabcd5.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5a3a5e00774e926b886c16619597649a

SHA1
c06e13767783b92fa16d26442e60f353c842e404

SHA256
8dfec10a90acbe9aade13213d60792abed6d055ec4de341dc1f14e591deb16c6

SHA512
7b9d84e589f77a8eb1f210bfc1be6301f97b4597fc8dc2c39a79faeb428a91b33dcb2e7479e7019ce2b4149cdb270980555fcbb885ea134e4fcb2b133fb7549d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
772424160a740ab46f10d75ee3f72e87

SHA1
ce1d08ca4145f6a14ce3727642af5a997f73d1e5

SHA256
00ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84

SHA512
920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
df6f90761cdc2ae9a28fc725a77324ff

SHA1
618ca8bc3446c1beb3414527abbe88d9bac0516e

SHA256
a4437cf40c66d64a5a279123da363a8a73a41c9a4bed3976e3c881400b49a8e2

SHA512
009ce2a8218b0bc75dee7ded8a31ff1e074c33df8a0b75b2079130c42e0406e3ffaf537d6bae8b3f0e328fe0649ffbb843e39a021716cd72817fbac1550000ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
98ef8bc64b8294105e972a44d4726565

SHA1
e8c11999888e66121a7208aba8e1e2d6414ed9f9

SHA256
e3923a0a86403adb69bc1dcb4e412fc3606820ef004668eb0b898c7c767550e5

SHA512
7bfb5eb2c4578a98e46450b0df7e886236f50b7e8e1163851d4d068e5d1d9c82170a68fc30cb0447a8be13e2783fe837334da85bcf8e3a1f5e255192509a2e4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0bab0061a159acef0953f902f942c240

SHA1
6e7b96c738d5518995d684d3d3c9c903efb30c65

SHA256
f3e1db2ed31d423287ffda69d04b74a981d8a893402c8a9129f6c13660014b39

SHA512
fb4b6db3fcca1f69f1dfd0145c580255307c5fbdec0a24a727da0db3a0bd0ce3279b2583eff4688f0041b01bb5745401214b2002c3bb0754a88c2e414346fe02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe575c2a.TMP

Filesize
2KB

MD5
62ef0b2d931dee49ed513961ece66048

SHA1
75ab8dd2d029abdc0701a541bf3076082b6e0c26

SHA256
2363d110b62787968a21ae43497d60d50ad3e2a713303aa36834d810f996344a

SHA512
ab8379f396349faf8b51cd6ef4cb31c2d16da749b9902654227175423872fa6d81447d28926892602644a35b30f8bcb9412ee90b0eea93108cf6eb1b8dfbea94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
ef34abc834b27ba6db8fa4b0271ae5ba

SHA1
9b7ee98ed352abb058aa8a0b8e4d1465629187e3

SHA256
afda81aae8e450ba7520321e549f8d55b4ee19eb11daec776c324fc9591cc66c

SHA512
fee182a39c7f2a3c74f7aaa05cf64718c4f9017f168a8125485c03e5501b194cd16fd81c457b1215ea1a261ee8995659b4c8cffa7c967e9771d1f4576d8c96f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
45932521d0a9e7d65faf3bad4b3662e5

SHA1
38b2ead8aaef6ca75ea3c7bc22c2b63edb09e147

SHA256
fe599b1099ab312a9203d0df441c425a771e07b01d36d5807e9da6daad3e68ae

SHA512
bff2f85b46a28c96120ce9d79ad3329d9f58c22247e042ad8399c0fb1bb3297f8cf790a00cda1ef1a8fe5806b1b76412312e2794a824d111d261e88d6160cbf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
b47599040df88442b8f2b64ee46606ba

SHA1
535144d7023dfb333e930e9a64cc2e0aa4359185

SHA256
df1cf60d9ec76c165ab6eceec485d4a4ecf8b378975625bb0d69c8d4aeffa2ff

SHA512
a4c78b497542daed63b08927ddf9e81682d473bf379435dfac58b5b3a3ce4cb40d03a1c84146bc4847e8a31cf8683079efff27b17ef5ac6ca8635f8923e5b2e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
5cddf7bb92b7716eecf125cb956061ad

SHA1
d8888ee3e37c6f2002c1c8f7dcdcad6ae6040dc8

SHA256
90a41b69cea1d322a418aed276ac9c924d5556f2911a045c728cf0e43ecfecf0

SHA512
c4d39cd05444579845fe2b194a57272e3eef2b17eaba87a254801d545b9a9bd119b3a37261120f87c2807436e060b4173ca0e3019ff6650850fdc6ac11dfccec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
282KB

MD5
697d4d91b93cc4d59ac716c049af777e

SHA1
d3fee006c340836598215a75c64c2c74441a0137

SHA256
727a7a8defa660b2aa5d35409f05a6cacccf0eb0a2752c865ea14bce5e78a32e

SHA512
442ebc056783d5df177393f9276c8e0b41e63f21b96ef015c881e34f00bf50664e8c04babf6c6f2d10590bf7ba07a16061bf64c5c79be03aebde7100fb0c6fa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
a468877bbb1b8e0f3f38e98b1468843a

SHA1
470c836059baa14c1977663c1a1146103d564587

SHA256
ea29e649973594154241ade27dc59046c16e436249bf52bf526842a3f0a38bdf

SHA512
815c26e52e8b742cc1917eeaa1d0d0c38be0be5ed00884607b6b01dd88abd5e68e053816e94df6e2f993ce7c1fdb72eb4fb0d13704b66f064a3735189d047f14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57d188.TMP

Filesize
88KB

MD5
a73149dabc355d14c3aead3f7c311b65

SHA1
38fc52af30d8eda4beae205bafad1ebd25c92759

SHA256
a40bca26590931ee208ecb390095ecd3101b912d5a18a56da3b8a0b8035b0d97

SHA512
9baf31d38642ad37d90f5fc0bc150211d233eaf0c7c385ff4666b5f6d764130e73d7c3fd709d095cd3bc56f62d6f4f67a95a4e21da738e78beb9fbc6b11fb673

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
ee8b1216c00581fec8ea9956153cf41f

SHA1
946b40e1c2508d446040cabcf8d3acd8faca58a9

SHA256
d3ae106429fe3d3cee175a56f85638478f00a016d9bd8dd07cff7356dc4ca0e0

SHA512
d7565ff5d3a1368cfefa0ddd969eb90549988ee55389ccad212a6e01e09b83689edb0ce654127a66bb64c6b6ecffb42ee029cc291c52646dac250258eaa90dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
8a9a177434b2442bb3f2aed44e7f1e2b

SHA1
6e84af82729d719b3c33cfc064c9583f8759d114

SHA256
01416ccf0da294d08db2f052b43844c0587b049e4037a2d0a14ab2abf5cca386

SHA512
27e00ba53af9d54532d522036fe24a693439610b7f1af58568871479d845515c7ea91ca5036d8ac98b26864a3a91003617afcf743d62e733a1ace18ed06b84d4

Download Submit
C:\Users\Admin\AppData\Roaming\aee31e5bb5459c0.bin

Filesize
12KB

MD5
3a270385ee94cfb1c1f3b8d2f351c2f9

SHA1
f6a43e943abdcab619ce0d4f6f8d8b1f084aea52

SHA256
f12df1b931896de77127ef49bfc40cc84c06cd26c32946056cca859ed77cbdfa

SHA512
31d024bed9f5d5d82ef9cc6b56807c6fd790d4a7d365bc2a09b3f4b0e04d5bfd4d0f2079f83446a38a548f5fd1fbaa22cbcb51528e16eaf10511e33c49087f47

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f529abc848276c4cb8394f792516689d

SHA1
4b0527ab4b63e9edf7340050c5c09356d1e2c7e4

SHA256
04ef31c487b425ecb0e4e83255a33c3625e7e851107f975d0f08d7544b71a982

SHA512
113bd123e0225c4319b1e1f302e12ea8b9973376c134af925528bd5b67bc354eeac8274f075f6f2761a565a6ebef17ec2072bab961869f8b88665d31a7a5b708

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
abb44cdc65886649c866b82520588731

SHA1
40c3c1cf276051aebc2643d19f5bd91a0b0f0af2

SHA256
c1eaab487cabaae3415b4f31784cb101f91cddcba82dcb1eb44db03c594a9e37

SHA512
5801647d91988fbb923c340cf367150caea6098d5af4506d38fc78aef6f5247663a53795b73e7ac015bde2eacfae4cf52ff393d738f86779a0b0d0fbc99a8ade

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
78bbec9841b9a6a22b419523bf075d4d

SHA1
38bcff07a5ed5139a9b8900c7cbc85b1632b7126

SHA256
bac2e11f213c72b64be4995dbc91f57059f66d90debe17b6d27d6b95438754ef

SHA512
8dc181ae6d5c61f606378fffb127d185ba61c4b667b51da67366f70dcd7531a32037376ca37a72c1df5e5a1fb817ccf3bd9df855a81ee64a571d8841e06e9b01

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
306a826faa80571145069ab9c251aa41

SHA1
8c6303bafd1cc120446a8e12bf39c58f93490b94

SHA256
39fc4527b21907395972611c3a4f12bec3d3f44611b013ce1c4f3fd46d019e30

SHA512
0197e3e924aa2f0d6142c71ec5d2b3e6495924097dfe9271317081a9cc5e910cdd15911fba101e85e80ead26b0b4aa3cf52f73e12123c7220718c151a8d8b72b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b292ae3a0d2c083d7f0639d14ab9f7f4

SHA1
00dec38dff497bf31ea0f77202b29f2e81241029

SHA256
de71d9f6e7ad0d36c4611ab4c6e081e60ff8326f4953367ec2557b2701c8995f

SHA512
13dcee5766a584e187eed19fd3176309267fccc6deaca631ffc499c5180bde14a79bd57d54b17eb8acbd16b367ffd28d348c719d52fa3da712fed5ccac232980

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
97d3cbcd6af4fe5a01d872168a2439b1

SHA1
0e2f1da302db310bbc69edf715fe6afda8b353d3

SHA256
084fc8d6196c82426324be652dacf274e7b897b41d966c8ec7a8bcaea3f6a6da

SHA512
fc49101ffbb0a57cab299eda6da753f45dd242b2a1e2b62f2931c540e41db780532dfc62b663cef13a344316ed2d49df0f481a9dcc37195e5908f3c1dddfba64

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
000c44c984a050c44d1926a656104bf6

SHA1
d6bd156a23bca1645c94f4ffe870e6f155b69118

SHA256
fa6e7797561bd0ebc488948c08bde9ce9ffa51a2c2a16e3899bba59eed641bd9

SHA512
7ca49b856c915800efefdfbc93a6059b712f806521b512a3684e0a6044f9aff48d18079c91014976cafa1e944137b51016f0d9d956b3652858dd7f99e6da9d16

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ea0ca913a6a9870f340032bef7bdaab0

SHA1
a4dd462c02922271bb8924f6eb159dbf92041d7d

SHA256
04bdf9a7cf27066664b98ec91996e14ab9ed5d513ad167fc0b236c39b498df65

SHA512
15d4626c52150ab38cd58a9294d1250785feeef3cd8262abf006cd2859e0553253822444a7fff2482c661530dbfd697989a55b80cf265e46742f9d254a3f9a36

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e63b8c2da91b0109761ccbaa8a960140

SHA1
4e142ad7b56d91b98496ca98b4fd891d5efdca4d

SHA256
f89006b54a6025881b0833e80fb86a94c947e872fb505da9da8dcf700791d030

SHA512
e12f51dcf2f020972ddad7f3d409a36c08a5eafc3e012957db00f77b422c3d717cea475db2411dcdb2a802a009c4db84b5e4b4396e945d24292d905ebad027a9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6d4abdf1e21d4ca7a3fa39ec255c10f0

SHA1
665058c0dfb7896dc47843f4b28ed27db714f3e0

SHA256
0048a38c80ff664a85fab105ce73a70d1674f442a31aff77b33ec3b25275fbc1

SHA512
833e57baa67f509b4d9a89515d6fe5ac89309e908eb3ba8a74e7ef1276d6ee98088636af91def39ff91135818e4a456351d88338383d791df54512988c8b4bde

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
cddea54b4266050306f86c48c5b0777f

SHA1
ea75900da5efaf3a1517d6cc7e13c7d72da6214a

SHA256
d5c0538a76aadbdd6f017abcff0e35ad3085883c869850ae2b678316f791baab

SHA512
cf69ca39ca0cd31ba29e60b65f1fe8b34d46d5c9356b5898c0c038d4834b899ee6eaa17a2ca4bf392bdcead56ac40cb0e08e87331046a4d1ad2094b756191e86

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ca2f57421a63a62804a26f3262b8fd89

SHA1
ab1357568eb4410d60ef23381e63f9576f63fecf

SHA256
59eec553eb8f25e349ce784181c1eac5288813c4cd72e87673cfe867bd7a8fae

SHA512
843737babb1cbefecf7238a74dbde0d2e9e028b4f0feb385dcaa81efc7009d9a4fa4d39eef2118cacd6d658cc7ec72c81f2a6737baf81188e930e6203ed8a721

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
553463279a24f8a245af8c0987be1837

SHA1
2233422bb99f8ea21484a6554a2d28d19d54668b

SHA256
04ecf7c17f95be6d8f9e4dc986112ac50bc30ab4cdd44ee4ca818c6b0939f667

SHA512
a1f8f9d21f654af62f64ec9f301d406145b872a6d3dc5b6b9dd908f2eb85eadc3975c5272b084af17cd44ddcc417fd502ec8cbb4b76d0825a18265d8b9811faa

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
6419a89771fba7b27ac3e17de902d5e2

SHA1
81c5fb13c85c4710bf6fd474d5899c4849388ac7

SHA256
5310f5a46d2aa8bbe9851680e72ede3ef24f003a466402561ce476cdf5d08072

SHA512
8cfebbc7745c956bbf270299051f697a0c5f364e03efeddc579f0edd8abdfb2a2e096fbf24911cd42194bc9c6772f7682ea75cb90184ebb98a09caa6887d7eaa

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
16da7c7e892fd4f35b64c6fc89fb21a3

SHA1
7a5115331d90e13d8248890e14611407ee3a1087

SHA256
fb9e6fac5e869278fa23900db7dc531cb9c2352fc5de729bbf6fb5ce79a002d3

SHA512
febe2f773ab34ea3845122d886e49e98f2e0192a0d427b06f86992a204a3133344274ae51f19a66cd92c0a53aadcbfb162d5e7a8c9b359edf17a002c2cc3494d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1fddee3f906403fce4cd2475b34b1244

SHA1
972ec5bc527fae9f87a26b090fc2a213d055df5a

SHA256
b587e620faaf5052476010597128ad6906ac071d76e5693c2431cf0ed653d60f

SHA512
bf31a79d466a9c38cb9d2aa408b55e527521afb593b74af15ee136b4376cb5dc2e404687e18f679c4dfcee0f37e437315fd7d580f848880176f765211b4734d2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
782b40b03343aa6a60388d27da005d70

SHA1
081bd7fbf28c6119c382151881a1224fa39c8674

SHA256
64ad404b9a42c4114588b9c85be8ea566a4bd319977e1e2a169cc7a1e097ac8d

SHA512
029118730257d539ac13aaf9e2ed9fa11582b61f35316aa36cbc4c21e676c5b56478b1a55f941387b976690761257537a8534bcdff7c59b2110b4867ce2c6bf2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
997c386f8bc9a32e213b28e19b7f2aa2

SHA1
080bb2a754baaedc2f7dc3328346a46909b46eee

SHA256
d316ed532038d8a736440fab7b996ba1c2aad7deef6344fde55917c9e5cf78c8

SHA512
809c83610e511d10c6f49e4b0a5f4e5580c8120cc9ff4031b4026a5e6b99bfac56e1b906614848ca3353da966c0779758b74a59bee4eaeb9379591a9276fa30e

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
257036a0fb3d2768f2801e5d32b9ce30

SHA1
0634d123cc54fe889f179f59136e47357ff7f7d3

SHA256
fe6257986f35787b1ef9628e36a811d3484fff46899b61381086da82e363c462

SHA512
381a451ab3b3c97eb3546554811f0784e5341a7f668b9ceb41dc077d34ebd26fbb29b2e0ab21b2a52b8637b3998943c14ce60380b8525378d37ccdceb0f0e5a1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c54ce7a3b1ac01f2642303954fd0ced1

SHA1
f5354d28b621a89c1557ec891c8c7daf248f5619

SHA256
f752966f3d595aaddda1c1dd54576d269ff0bb114c44a2ecc8245d0390d728d7

SHA512
cca08d841e85d44af429628a891ca9d8ea78a49e8dbf5dacf4249f818b9390f682bfb5791da5f71e7f1359fb907369fce214d6c330276a25d2cd4fa966728dd9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
699864d7661dceb7cd15e3852e4e31d6

SHA1
e258d9d7dd576fa8eeeabad82a552096d4ff6381

SHA256
c566dcde6c01518b81ec55c79641679cf08c43a29605f5cc08e89174aa9d306d

SHA512
f62cbe04b01fbeb81d6ca82548e3c443527cce690ec0b0577e43dc8b1f001176aeb4242f194e6b1031bf3d70c4a6a181b4452aa9de9ff44c43243bc6df1a5ecc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
8a24c9c7ac1945b0f39e9ba6c32564b0

SHA1
0982d3ec1077cde8ceccabeb8903c490107cd11b

SHA256
8bd470f5d1e9bf793d65c354c81dbb65f15a526f2f56ce37312b8f4bbe9a7dc8

SHA512
6073d2e2154a4dd1a198a06a79ecaf6aee12166b3471bb8664aabdeeeccb7ec1d76e28c0146815a73a9d31814239d1737ef157062d4778c7ee64464b7586ba0b

Download Submit
memory/396-460-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/396-609-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/408-230-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/408-602-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1116-599-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1116-226-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1140-438-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1140-191-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2144-109-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2144-51-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2144-57-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2144-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2144-111-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2244-204-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2244-75-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2244-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2244-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2504-166-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2796-28-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2796-21-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2796-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2796-6-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2796-0-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2932-213-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2932-581-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2968-134-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2968-133-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2968-220-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3068-30-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3068-162-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3092-106-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3092-108-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3092-94-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3092-101-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3092-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3116-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3116-42-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3116-43-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3260-216-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3260-123-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3260-117-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3260-130-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3384-164-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3384-229-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3384-583-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3424-163-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3476-113-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3476-212-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4012-582-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4012-217-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4144-205-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4144-454-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4320-17-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4320-11-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4320-155-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4320-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4364-596-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4364-221-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4536-453-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4536-469-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4656-224-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4656-156-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4704-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4704-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4804-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4804-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4848-409-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4848-177-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5244-484-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5244-407-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5256-608-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5256-422-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download