fcaef56cbca5bf8bee687b1815f42e1f6646b4307682203feafb58ca309edc1c

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
Size

4.6MB
MD5

2f58a546190dce112b59b89802b95411
SHA1

c66f4977d997f2e6774415bdf5eb671764651b7b
SHA256

fcaef56cbca5bf8bee687b1815f42e1f6646b4307682203feafb58ca309edc1c
SHA512

efaf31d6d9d6eb66bf6fc083843c4b23c41eb71f24f0adb657e7e5e8263d9cec76e79c2f73bc132a159ba26f284866bda3962b695bda820977184e6646dba885
SSDEEP

98304:e2D8siFIIm3Gob5iEfRVlbnP9WXW7H6C:e2D8j+7GyIEfHBVH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2276	alg.exe
3508	DiagnosticsHub.StandardCollector.Service.exe
4232	fxssvc.exe
4296	elevation_service.exe
852	elevation_service.exe
1412	maintenanceservice.exe
4596	msdtc.exe
2404	OSE.EXE
4804	PerceptionSimulationService.exe
3288	perfhost.exe
4896	locator.exe
2928	SensorDataService.exe
3968	snmptrap.exe
1268	spectrum.exe
2140	ssh-agent.exe
4420	TieringEngineService.exe
3156	AgentService.exe
1068	vds.exe
3980	vssvc.exe
1808	wbengine.exe
5204	WmiApSrv.exe
5320	SearchIndexer.exe
5792	chrmstp.exe
5280	chrmstp.exe
2812	chrmstp.exe
5632	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\264b4d99bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{3B9828FA-6A18-4F1B-A570-1997BB7D5CB0}\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b415906c9cb7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ce2da6b9cb7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb534d6c9cb7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016c7816c9cb7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0910a6c9cb7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000682c466c9cb7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002b46e6c9cb7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1944	chrome.exe
1944	chrome.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
1944	chrome.exe
1944	chrome.exe
1496	chrome.exe
1496	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2656	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
Token: SeTakeOwnershipPrivilege	4800	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
Token: SeAuditPrivilege	4232	fxssvc.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeRestorePrivilege	4420	TieringEngineService.exe
Token: SeManageVolumePrivilege	4420	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3156	AgentService.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeBackupPrivilege	3980	vssvc.exe
Token: SeRestorePrivilege	3980	vssvc.exe
Token: SeAuditPrivilege	3980	vssvc.exe
Token: SeBackupPrivilege	1808	wbengine.exe
Token: SeRestorePrivilege	1808	wbengine.exe
Token: SeSecurityPrivilege	1808	wbengine.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: 33	5320	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
2812	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 4800	2656	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe	81
PID 2656 wrote to memory of 4800	2656	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe	81
PID 2656 wrote to memory of 1944	2656	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe	83
PID 2656 wrote to memory of 1944	2656	2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe	83
PID 1944 wrote to memory of 1564	1944	chrome.exe	84
PID 1944 wrote to memory of 1564	1944	chrome.exe	84
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 3092	1944	chrome.exe	92
PID 1944 wrote to memory of 2376	1944	chrome.exe	93
PID 1944 wrote to memory of 2376	1944	chrome.exe	93
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94
PID 1944 wrote to memory of 1624	1944	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-05_2f58a546190dce112b59b89802b95411_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff844daab58,0x7ff844daab68,0x7ff844daab78
    3⤵
    PID:1564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1948,i,2843479399283239116,12067386370060042542,131072 /prefetch:2
    3⤵
    PID:3092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1948,i,2843479399283239116,12067386370060042542,131072 /prefetch:8
    3⤵
    PID:2376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1552 --field-trial-handle=1948,i,2843479399283239116,12067386370060042542,131072 /prefetch:8
    3⤵
    PID:1624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1948,i,2843479399283239116,12067386370060042542,131072 /prefetch:1
    3⤵
    PID:1156
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1948,i,2843479399283239116,12067386370060042542,131072 /prefetch:1
    3⤵
    PID:3428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=1948,i,2843479399283239116,12067386370060042542,131072 /prefetch:1
    3⤵
    PID:3056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4108 --field-trial-handle=1948,i,2843479399283239116,12067386370060042542,131072 /prefetch:8
    3⤵
    PID:4984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1948,i,2843479399283239116,12067386370060042542,131072 /prefetch:8
    3⤵
    PID:536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4824 --field-trial-handle=1948,i,2843479399283239116,12067386370060042542,131072 /prefetch:8
    3⤵
    PID:5584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1948,i,2843479399283239116,12067386370060042542,131072 /prefetch:8
    3⤵
    PID:5880
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5792
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x274,0x278,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5280
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:2812
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1948,i,2843479399283239116,12067386370060042542,131072 /prefetch:8
    3⤵
    PID:6032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1948,i,2843479399283239116,12067386370060042542,131072 /prefetch:8
    3⤵
    PID:6008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1948,i,2843479399283239116,12067386370060042542,131072 /prefetch:8
    3⤵
    PID:2536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 --field-trial-handle=1948,i,2843479399283239116,12067386370060042542,131072 /prefetch:8
    3⤵
    PID:5976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4964 --field-trial-handle=1948,i,2843479399283239116,12067386370060042542,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1496

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2276

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4224

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:852

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1412

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4596

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4804

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3288

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2928

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3968

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1268

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3852

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5204

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5320
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5696
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
baf79d2ff0f9db05c5d02042cad21677

SHA1
5a6d6807abd4159238785ab790f2cdb6a7579762

SHA256
e86aa6be2055c0ff90382b60f509d5821c52c656302abd98bb932fe812406feb

SHA512
f2e24066d6f6933e76ae71c25f1eafc73f2e88bea372be6a096f9a56f1a7ed48b8ce990a5eeab2d5cc1b124bd7f35ed0ab7ecff7813a63928b3968eb07748e6e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
bb040d459c7c0f4b9e76efca3dbd59b4

SHA1
0c2762265ea040864865170bdd25e4ad8467f61b

SHA256
1d34f32148df223fabb3a8d6a72ba14f8ed22d7d35dbd08c37b198033772383f

SHA512
6f5d21ff2d0e036526b12b432f439bfddbf5a17afa5ad1b3212eb67c434604e036230646d859c4f0d4f1db0f1fa01690109822717d09ec983b408bd755db1ea7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
192KB

MD5
8b1f7fa20cd5d6ebe70bc2b2c5e94f5f

SHA1
c671a77adaac9ab088aaee463df1351de39d57b6

SHA256
d03c56d3513f4e3100548f9be9b761a18e57755f0dbcc6fdd0990640a0991ccd

SHA512
9886156e0f5d511c7da080080b9daaddcee52852e0b59051df4e7a704940ae4fb2ea460074b06571ce5d44585c8a1f6af8bb16e11b2f3a9e88b93513dcd9d69f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
cc60fb62e84ffda04bf00475bb6eb3f3

SHA1
24d7564363bb8400200579b2383b3306f4700236

SHA256
52479a238089c5f9464e2ae7edb713ec48bcdb2f3de840dfcaec7181b96be597

SHA512
6b6480752673b1ee026ba1c3a6b0f8aa8c64900a9154237ebdbea8763fa949d45a7bce1d1b9eb288188ac5418495fe10738a17afae13b3eef186296fb57eece9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cd3617d3ffd1d9021805625c00628871

SHA1
8439937690e7a1557745c41906086988466dc7dc

SHA256
c72573ff743ac342084438af8d045d64f1dca0c79337351cfa14b2d3bb44ba97

SHA512
6b4fa0e1c0fb1718af5efd61304185285e88de2de8863cb273c86930ca12485a6243d64790aa1028032be21003b411e90b56bdc4bf67108e2b3eb05119a4ae75

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c223dc21be338d4fc7f11e4ef08175e2

SHA1
176c95b81676de004e34298471de08b0b5c96040

SHA256
eea501b2d663836ad56788083b6d91c12727c1a2ac7a8546879cd66260a1a30e

SHA512
0d7bddc00b64652f529a6222340712f9b2941b68c7dabfe04e2a798622c50a2341cf716aae5a7394c6385da5b466f2fe7131db431be21edfaf67dd544002053a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
fc6732534a243f103a683bd8b028e3e5

SHA1
649ea88968a95fa8587c9f63b9e2c85d00716201

SHA256
02d77fcacc7a4b201f671f2a48693a9fd894c39baf502460da2c600517e93c8e

SHA512
d7512aa31f9d006d5d63f43fe429c5930f2d0f2602f3712fafd7ce154b2bf788b5837780699ffb378c22b6574b2e250ef8e2fd13fa0bfd6e50ab254f3439319e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
77a286a5fef29564dbc562d01392171f

SHA1
9430223cbecabfee439aaed0767f56b92cd63ba1

SHA256
cf844fa956b0ca2ac0f864efa8a0c2100ba7740fe8598e9192b80eb492956ec0

SHA512
a5410f2ce41cc2c96a544fad6c41b7dc60b459742df2f95d2af70dcf397e1f54a8617a435adee0cad2a820eabb6bd5d7e2a986321b1368e42171078ee8c41d0d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e7cdf4f86e05f981ae9d4be2db662754

SHA1
bfb7b8aa06836bc60cf75fd7cf6d979f45a63aff

SHA256
a4594973dc69ae6985e38e963a4a7c1b3d499a38a235ca0c755c79c7858e8194

SHA512
9a76755682acd2f5abfa01e96a3a0ff6fb84c76057f514126b89835b5f801fd0e818a27c77b189ece75d282ba3a1b64543038b01bf1e32a3b6e982ecfbbc1d93

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8a02ffb79e57ef021e8477e3d5809572

SHA1
c5c6e52e657b5db86ea1d8bdc016cce3d63da896

SHA256
3d345b550e46f29aac6e6f98feacb2164b38339d0373465acc8f5290378151e2

SHA512
5c5985670e65381916d54c5072384eef035bce941649df8ec1bd9cd9430e89f9115f533f58294a324f31b5101bed6ca2231472946df634d2df134cb89ca7f852

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3b7ab4138ef5f8d0879b057b963f4ceb

SHA1
7ef8b55b092a9f507201fdd4e27162079af48fdb

SHA256
3d1372900b3243a56aa01e244a91dd60a6565962f6fc8ccbf03f5af88f4d6adf

SHA512
37074ab7756ef6d39ce0e5964d25ec011b9ceb96a6c03b52e7a75f640a4e4c2356ab217892a4488c352ec0acabbb174cc88f7ef962574c35d3e6afdff66e823c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
4ccad73e683d8d7df94bd2883fe04f11

SHA1
3f77bfdda8089ae5b87ec70c129d3cfd417de90b

SHA256
60c9bf970dce7e41c2ade2ce46ea90bb13102e77f3a666e6d0e73f9345e4dacb

SHA512
a47affb3ac5d3226ad8770ad5f887cf55789d85867ff5b2afe7e8a406bbe42132f02d49af6eb60abdb7ce31ef021d3e395f0962612b30a19a941a57b094c7c89

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
448KB

MD5
abf0667747ad50629d802051c1227996

SHA1
65d204b52605e11f1cec8bbd2ecbaa67b7e5818f

SHA256
d0779e4b42491bcb0c8b58b680d8aec27d5f9ccd80015dc9bf2e38e02da0e401

SHA512
94825b0517645c03e676806f71fcd20f8a8424b15a1ab5a5cc30a9aafb98f6c15d7f8a2a89e3ace0eb32078531d59bfc81d1aa14a3e6cbdf7704a113731587a7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
04e47248fa1540076a9275269537bf65

SHA1
c599628cdf883ded523e4c7b87f966a98fb8008b

SHA256
73c1777d1973b899ab36b00b8ec129f88ca7289a453c5a9b8a07380a30ea80b3

SHA512
e432b186ebdd6b9af13184780c20e0670a99a6716574efb64d4505f9bbc1c08ced017a145fd89c7fc42552f2f788485ab855419587ba561ac4da23c634acefd5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
2.1MB

MD5
4ea8bdedb364243b99510f013de5e2fe

SHA1
9e6d9a729cdeb969f15535a615248f3854c9a972

SHA256
6312fc5b650ff84be3d1dd66e0834ac206bda6fc28c27aba24ee84bb848a2076

SHA512
acad9bf61c918800ddf109a3d1117b97cfb0bdddc8aba05a40391910b2a494957e1f4a5ab71215a66b8272783353ebe94f5bd5fed8b05072a14decda7438b12e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
448KB

MD5
d282e95ba67c81db6c3427dc8b30f90f

SHA1
cac02c52787badb092e122335e538dab14e6d36d

SHA256
25283cb418b6f2da5f7e9c0622aebb374b58026813c941f499ea0b6a989886ff

SHA512
e66e98e888b7a621850d74c206191b615fc7a3463b4ced62ce28052ba13eecfb6ba2c482b9f5f0a6128392cc8493af2420060eea17b5b3607c47ae8c0bf09dfe

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
512KB

MD5
99f3ce961b81192b22ccb2e8e9426ff7

SHA1
60161671acfb5bd7db60746c5b00fcab57e7250d

SHA256
b1f6d526b431a7b4c14857b65e9b42d301b0e1bd455fe2f2645aca295833b9df

SHA512
a15b16329e498de5c4c89abf6628a806acfc91a0a253eec21831000bb04409df456d84bb19e596102f17d04bd0f8ae0a837eec8fabf60a19add345f795f5202c

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240605230216.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d70e691ba66b57d65ed8c70e9cc4cb6b

SHA1
ffc37d8c34f6affd6965fc95d91ef84f23302e1b

SHA256
8c1231c4de53dfc94f0a984f491a2f69341fefe9fa2ee7c69581cb3d2b084dd6

SHA512
130193e37a4a2d9dbb0c34752cc5f6141a792e28a6c263d95c36359d55925b3befe49393100f0fba8aab9a6a0b06812689796ae24819d5931136b21cd7142eb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
772424160a740ab46f10d75ee3f72e87

SHA1
ce1d08ca4145f6a14ce3727642af5a997f73d1e5

SHA256
00ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84

SHA512
920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
aea8e8b3575177309a12949e555d4cf7

SHA1
4e3332c2906ce4ff29d82e248e96c04886ed4be5

SHA256
a637be09a52597a95e2571a26a8cb431ad60478a9cb2f14cfcbdf4b9133dd574

SHA512
af1464c8c5d3b6121990e0a642eb81cc5bbaf0d3dc310469b9ceb95ba9401297f886d8d77a4c604c82da8b76c07dbca7d884499eaa26fc2d8c8d50f98c5b0c57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
daff899a992ee46ceb93a7fe3a80aa4d

SHA1
6e22d301f9e27bb2c481c81eac048009e6f39eeb

SHA256
8b7e522e725ebaf05b2dc72015511a424eb3fc833f526d93961ebfba2cd92390

SHA512
5ca5c4f966907a82ba73008c980686962972b4e8b4b4bd665b10f59f8b106b7e0dfd3c2c0ec2ea509575a380ad4523db2619cc720d7dc882df259269e4bb413a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2ed6205caac7dea9e5807d944064b7cf

SHA1
6d0a4b8b50401c6cc2620d1c85872615eec54584

SHA256
b5852243e29cd4ed5760a860b9df1ebf50b915b40d93bc0ae69bcae14602b6c5

SHA512
97972f2e03aa59b3fe63550f223763ce84416d4ed6cb54d5756a06a9f30bb3c34f16b0589ce99b9f756a7ffc2ef6627aa15f7ae4b573084fdf04d94b35d91247

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe575e5c.TMP

Filesize
2KB

MD5
62ef0b2d931dee49ed513961ece66048

SHA1
75ab8dd2d029abdc0701a541bf3076082b6e0c26

SHA256
2363d110b62787968a21ae43497d60d50ad3e2a713303aa36834d810f996344a

SHA512
ab8379f396349faf8b51cd6ef4cb31c2d16da749b9902654227175423872fa6d81447d28926892602644a35b30f8bcb9412ee90b0eea93108cf6eb1b8dfbea94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
cbe95c9725f194e4db641c6a722e3894

SHA1
c2a8cca4672c296ba18ac85c93adb4bb036ecbaf

SHA256
f6f74ed495b8b985745c8793fa8946500b6e656d33c5bd7b6362d66fec8fe74b

SHA512
7b47e1387959a3971dd0fb9e3dc24f38f803c0fbf88d3f083e1ba51abceb3e895115ece15f1421f04b42428610c050c75b2869d88fb840fd55a452b54ee3822c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
b6def1d5945b6d8174226ae5f34f46d2

SHA1
99af5127ed17807ca15ab10bdb5177197889a5c7

SHA256
c8d13cac69dfce76187a16995c594bb58c9eb6de67726d582ddceecae65e647b

SHA512
4cdbf1572552af23d0834d43854774c00ef82ed0af68871fcb595bcf2642763fcca324b7bef93408cdafb8ca2915148ee225df8484390164f80fc6b419e2787b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
3c21eb22f81cdf7505c02d4d5cc9f28f

SHA1
f537f170bc48d6d14d5ce85c572c3792036aa5d2

SHA256
bca110e32a767160bc6f38faf301f32aa1619a15a02824248d44c2ba5b7452e2

SHA512
7fffa50508082d93e1df2596bd5a2349f3509088c4f7fe34e4348a30cb71e472e41c3e4afbb1acfae0f5ccf27384e86cd49e070841d8a1238e76f91ccfa04086

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
1f3426e6bfc44f8405f652db29027225

SHA1
25926f2475fc45f0ca7e2b29f56c90735406c01d

SHA256
d03d694574ffcb73b0f9c2efc147719691b3fe799daa32a5607898abb2b249fd

SHA512
141cc9122382b198b8425fb7fc35335648b97a943c6939937aa6e1cfbf9637b2d173046d8f6b7d5479ce5f309191c225ce910cbbfc9d5bbb7e8ccc2d81ed6bad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
284KB

MD5
4b25e1b0184e055047b547917705adf7

SHA1
afd1dfa623556d93ec7c723cb61c977a33db4f19

SHA256
09a8c2a05bf2575eedffa87fa0d85f6bd9a43ad9d9e3f9f10f635c4aba677644

SHA512
4c115333c093ccace85dd1b682ae0100896f36366263cad533e3629b7901e6f452616fe95697b2b4260fb144306f04880862a095e8f7140dd3347bba20f8a2ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
47e42da3046df5355c4991b06a7ae959

SHA1
64e84b2d2862531b233863dba0325b8cb2c02b76

SHA256
a99551e72a30cac6e0af9db9397dd74e059b86905a684bf3c9b3b15575172363

SHA512
742c3e86772e67255ba892c2b4c837261bf1db42f49f2cb8724a5757fbf4ec290e4af6750d2bd0d640918b4b2f971b1fa6367898d63651497ff8a2379d9577bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57d3ab.TMP

Filesize
88KB

MD5
f9e537a8677de6c4e3bdcadc3d09e28a

SHA1
870e70ba38db0e2236d5e934f9ed4855e05b740d

SHA256
12e5b224516d95dcbc6bdd45bc20a69617dd1487139883c3650656c4681203ae

SHA512
d953527d32e08817edf06c5b1a56c251c8b437cfb258569ccd455c4f133a7768c9b320dc5d80f018c5a77247a6b7e18b67f1ffc311db4543a00e8af5242573f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
5027b9c973948d176ff588fe0a4fb275

SHA1
8e8c72ec0561a2b49b2a6d8488eb2f65c86c535e

SHA256
9f7d782b502404eb88503cca61eb4dc42c792d1c3c9c897b3198de62f3402b0c

SHA512
c0e0efd636348ff07f1641f4be4036af499a733c6bb788f2b097514864770eec7501a2b66a134306aff2c468f374f15497dbc7278ac0b3b7be004af6a43e35d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
fb0cd7d530c29479758ae71d232eb7f9

SHA1
1f6b63ee68c4fa7eca6328f0b67851cbaaf7ada4

SHA256
afb0bcfb20b401ce03840d928b258464591f60addb9247e55aa93daf6aae515a

SHA512
da1991f5f5fb2cb6c9a6189bfc0e8ae26bdeabdbfe2616790eada2f72f15f3e2c4c0e5b1ba32275eece877f43f0c44a0f9599d24f8b20fac2d3b280fd85b9b9c

Download Submit
C:\Users\Admin\AppData\Roaming\264b4d99bb5459c0.bin

Filesize
12KB

MD5
a59d44b37ccc8930fa0a0335a2325b4f

SHA1
53c2678dab2c5d6bec150f9acff90606c305f34e

SHA256
0fc1f6546d07529d7b086fab5d507d22d16d26d93ae47a33e220867f23987c06

SHA512
32ab6ce230296cb900855e5c9f7f0b360b255e5b9308ccfe7fae2bf1e161e066fd6390c84a30380525b3601ac5db16d9573e3dc38b0d8a51dcac4a28eba2d527

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
448KB

MD5
e1e92e4ed28cc677a6946c04be81502d

SHA1
7a3595c92ebe7f87b7751eaadb73e0af6d4c42de

SHA256
3a60167c637d2a6f4ffd42d298700dbb0ff4a1ea0b681470e60917543ef87a93

SHA512
74187a749de7fbb75c3ce7f921023fa364677ed21cea368b3eb47ae293502f358f15f513d1ce200a7c38d35af86c9dd79dbf85b8a95af6f41de8638240df6f10

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9c0112bc4c4ac4d4d0b8d413ba693663

SHA1
6537f5b8de0a57987f9a51fa90541ee76cb93247

SHA256
819d4bd9001c293c8c6f2a2aa11ffa0d7ca806b280e6a3119e44d234c8555c7d

SHA512
59b79534105e4076f9b659c9b2423511ca6fd9f4fab8d3f4558da243591db121f0ac339932ce792a9bd145945a7aef16ee18ddc6aa58bc499b238af77dabf69b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
576KB

MD5
8f224910a7d1deb203d2054eb45f9e53

SHA1
e2da12a5ef1335f947dfac87f126c3a7dd3a4ff0

SHA256
7e68db4ce2cbb5f013a9009fc0754ec1f2cbbe0e3469e375263a1a0531bb0953

SHA512
117da2d8e10863e9a254bcf6eb887058588d6f2e091c13caae851b8543354227935f3e54acedf7bd3b758a037ce246f5799284d7c83190154cea761b8a94f4a8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
448KB

MD5
9e42cc1871782d86b8047826ec70fe07

SHA1
8cdb52b79fc2a5d1e8bc3b97272351be8ad45890

SHA256
3da82b4a3612bf54eb1379a7e7108784da2d3588e2d7fca3c36426808d124c84

SHA512
72d5e78ce801b819db255ca384b9236fcad3d030824e15c65518cb5e71fe1128a6a1bd73e5292370672858b5c322d82ad673cb16820c437a70b1121047be2220

Download Submit
C:\Windows\System32\Locator.exe

Filesize
448KB

MD5
148854b5ac32ba02f3589f7a9cad4948

SHA1
c9ebb85a62dafc9e80efa7e773906d77040e15e8

SHA256
11bd39efc6a5e83b997b2f348eca4dcfa1fe4cab9a982f4aebabf24768894ca2

SHA512
5ae4ef9faeec27e99efe9fa97323210808120cbf0e1a9fa80dfb173aa55e1a0ba39f8dd07e675a637c6d52e50c75ca0fec67f0e6a9d3ed51f73f60f6893fbbaf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
512KB

MD5
fadf9668d7efc27655a0352606fe487d

SHA1
91350d3ae737a9eee2609893bbe64296becc304e

SHA256
b3b218e5b723f9aa6d8479899a0f5f6411d02728bb6fcab4c1fa1d9207652eb7

SHA512
a64ffe1fbba6d8ad8bb655d598b920815109902c067ee4ed94bf5066e1560792318138910fa964227225d37b31cb0b732062e8810954f086a0c85d5bde3fd3d8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
448KB

MD5
c88e977f842f7b8350c60804731cedf2

SHA1
8589d9a9e8ec89d5ef8dc70bf7d29b185d5eebd4

SHA256
081b986cec50d20201e9e17a2988d2a96a9f45aa3b27daa3082eaf3c1768d664

SHA512
6a846e4e9456c3ce9bd13de0b0747b0a115abd02270d163a37026cd95b30de33ede50767b316d440c9fb6c288941c32dfe8f4d92f48a05ce473ec2f91443832b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
576KB

MD5
7b186f6c81d491ae463730f69b1b163f

SHA1
ec9209de8a501dd9e9df4e0ef393a8f0f52677d9

SHA256
b17c631fa7b4f062cd5ea5a0496477f73b2f0d77206f3c9bd86ec767bd8c2a6c

SHA512
ca7ded8939f00d22f0feaed17cfcffcd8f34969619c61a0dd817d71e0399b3071d0571ef090480e2f42418aa06829150c79f7e634e62f96d9dc2e3d65ab39ad4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8cf39bed5fa42fb1723d72a5a47a5048

SHA1
d1b87d9f44118f0c91e060011ab45b6944b1149d

SHA256
68c70f25a5eb2a0860f6f947a3331565053fb7f7db417dc265f3bb56ef5a5b2b

SHA512
5ff8317bbb616a84802886286c75beb9b016b5f8fc53dcf4c35e29b22b8931f2674e1a5f95c7eb11f0dd800dfd306b85eed93c5d4e0c8590e083df2b9c8c5f8f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
448KB

MD5
7d2025caf1455f47f08630045ff4013c

SHA1
ea6ad5d79df1b103bc27cbd8be66c2c4e4bef917

SHA256
30f012d4c67da115a66cf1a2bbbaa10d402c3e564aecab3327d4bb31f8049223

SHA512
9aa14677e455320d2a7f4e65fcc6a7d50d047814bcc06079dcd0ff6b362f1d50d17366d46f1dc7acaf4e76463e9d32fb7c2ce6541b6454109038a946a865b79f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0ef90f0e723c91235d23dcd5a115212e

SHA1
88c60c6badf6310f52c57665ad1d39f75bb3d5fd

SHA256
8a007d5307fec29f33fd21d8a23cedb44b29a942c08632ed0e60df941bc6a72b

SHA512
df5eb2a98d1551e1e16d95faedba4a27e1e705f5ffd48a3f9dc1e0e3e9ae67c65aa18ab3ae8b03c0b3e8e0e75822c6751674534ec32271232cfb926b12c38f77

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
512KB

MD5
b8351f6073f9dcdabad61f342fd31f77

SHA1
7f5dad0b50cb39fe00272c73136764c5f5a586a0

SHA256
c754ec09df74e19e555c056ad604e8ee2bd5e8e0d718c0cf5c40b8526b7e1a40

SHA512
cbe1dd4c6ebdfe1f0576da543f4073e53da24b9442d5f58aa4daea26ec52de43fb5429b649ff9cd9daf57767b9c18647fb792fbf639e7ad86ef2256da740fe2a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1d67c3d2aaf7af29ced24e9c7c73723b

SHA1
31774dfb38b3d3fabd36f652b112ad1b5529cfa8

SHA256
7e2d704c8016a65f6c716b8bf03a73a97e45747495b5aaca0160a77a2aedbc7b

SHA512
dea0b4c2676261e82a9ab62a31c33678d5619381d1ae1d68bb2f202a4dd3e2d17e6c25c69ea2f1b9a76a5c2f05bb56d14639c1dd9eaf2d46450feda7c3d9e509

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
68a70fd7557206584cd406ad607f3cad

SHA1
e32fb33c91c640ece452d78ac96d7086b310cd44

SHA256
a004edefec71da6e9a26bb53d58f26e303e47521d3ed0824218b44d88853740a

SHA512
1df4d445780a5ed4d7def2e8bb240888473f79cc0d26eb0272aabdbd12d5d15f853f26e53996529110502f50b3720d8c112ee0a83d22d80cd64ff09f6f68b4c8

Download Submit
C:\Windows\System32\alg.exe

Filesize
576KB

MD5
f263d6c120beba0650730a68f802942e

SHA1
0da309f61b56de81dc7169dbcdd1851290d12bd5

SHA256
f7de0dae677f3e6f47a542a410dfb12c40ebe3659d4ada50ef0a8285528932ca

SHA512
7080f99d16042d01863be6d2096c3ed09332663c8a31e2c86e266e788d157063e82cf945d89d875538f060fc57b3d7839c455d92ee66ad7354072d72923c9014

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
448KB

MD5
f6f86a1ffb7dd44764319c23f02d3416

SHA1
ff4eea76f80157b13f1b606fe9581c13fa038d20

SHA256
0bd6bdbc5545b754a25c3223f9a4fd5ba6c6146f7ac8f28757d04b0fedc5565d

SHA512
a4bd68497a8759e44e4149342e63299cbe85836d10317e6507a2f314604093837d6cc333b0e116fe4617db7163741beb109742e19216d59187bd2ed21efa6a19

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
448KB

MD5
a6de6bfdb5c3fc0d6d58458e307e1592

SHA1
a87f15f0b6ce8f2e97b175c17b133c43c03478c4

SHA256
5ebd0ffbdc2ef21ab6bdcc0482b680bcfed130294a22a7c9dec04040bb5a0f09

SHA512
639fe078e1867529189e79e96dc2d21e8263476c95d76be888258e2a3c477b813d9cd7d5ad30cc80c97196e211f0a408b98b5ec2536956702847c6868270298d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e7dde6b2d39f78ab5804a9a85522eb85

SHA1
f20ed7eae4052a5d490a30a159506bfec0c391c1

SHA256
bfc5e6a32efcc134dd54ab8ac86a2fddd0d83fae7a48f23def56fcc698c736e4

SHA512
a8f7a985e588f1f65fd55231fd0ad03cee4dfa830743ac1201102e9ce57a69028e2d26756fb5e9b442b044650be4008895226b28f03312348203865ade85d04f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
448KB

MD5
fd187a5489a3da39f07bdd95bf148f72

SHA1
3f5c9897de69e127c66e1c6b8b31e3b88f970557

SHA256
b53df574236ed80bfcf3d1bf33f0fabf240f5c378486043b35a7de9503793afb

SHA512
70b3c77f122a864b9ac8656334a04960f37daba35b8dec650d386b493d48a6bfba83d23f760b67358a30f50b3afbb27ce8998469d5d8805480fa0b10d33cd47f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bc6fe3ba2a43ec393cf1cc70a1435820

SHA1
3b88aea6b935ae7fd947be59d62cc054bbe9c3b4

SHA256
f7f67fee64ede427477af2b315fd9ae7537c7b67d2a8d8a5f1e2fb25668694d0

SHA512
30658255dbea6e3503f69d56beca26eed9bb35999347f098987cbf35ba53a27e437cc6a92f619ce842835b20afa473fa5eb334d6bbd7ccc3460ae301fc714ed8

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
257036a0fb3d2768f2801e5d32b9ce30

SHA1
0634d123cc54fe889f179f59136e47357ff7f7d3

SHA256
fe6257986f35787b1ef9628e36a811d3484fff46899b61381086da82e363c462

SHA512
381a451ab3b3c97eb3546554811f0784e5341a7f668b9ceb41dc077d34ebd26fbb29b2e0ab21b2a52b8637b3998943c14ce60380b8525378d37ccdceb0f0e5a1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
af9775601ffd64c3bb1f4b5c63f3ec07

SHA1
83ed005499695aa913e016528e2f34160b38320e

SHA256
d1e4b6a02308821377fac5c3c3ea3f3033086b528968899238155e40e2cff969

SHA512
28b65965865e1eedeeca016c15c4df156e68e5897d227a4c228ee2f9c2f99350c3087c7969fbc38f3d1bb2aea371f15fe1d3d52b82978487a6849d32fc9f2f7a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
a1b7fe48f2850e3a2949705d3e8db5fd

SHA1
beb748cb0357cdf6cfdf6227a3c899b24332cb8c

SHA256
ff1620636c3765530d18189e5189978f6a04e3e76ea3edc549fd4d1b12de8ef9

SHA512
a546e355afcd52b4d37869f17f7f0b36884dab289aa4a5f90a5c00602bee64696fae1b5ceed0d24f3e43825c5f5ce8ab9b75a40633b0a6c48343db3ffae29b47

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
28cf0ac97ef542f3fc89f965ed716220

SHA1
cec90086f82eeb5a76d7e805ea0f3f76321cac1d

SHA256
06c6e459aaeb1b5a5da877dc87068d985031467ba64497ec105af915722b49df

SHA512
6ed92afd0e51d9dd5dfdd474ef7a074bc6612c4a5cdafa719bd613d66da979d3de52349f04ea4ff730fbe3af0af6330180dca318f15c92545aa6693474546994

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
56d280aef80471d5654cdb8dbd6372d2

SHA1
b4e9b3f73517647e7e5a1fabc518cc9c091e342c

SHA256
e99a497ff9ee2a2ad97300a8302de06c54e4e9c5ff3c1cca67bf31ecb86de2aa

SHA512
ad4081c9954d65911dabe44f3d043ed5cafc6a6e4b235bd2ea4dd0fb56e2723a1c0a65e97a6f238dd4374ba436aa65706a3cad8a593ffe0bc8ec4aab81628c25

Download Submit
memory/852-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/852-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/852-90-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/852-88-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1068-289-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1068-677-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1268-508-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1268-225-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1412-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1412-93-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/1412-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1808-710-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1808-306-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2140-241-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2140-530-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2276-188-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2276-25-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/2276-33-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/2276-34-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2404-286-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2404-145-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2656-10-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2656-0-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/2656-36-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2656-6-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/2812-545-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2812-569-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2928-195-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2928-680-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2928-330-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3156-278-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3156-274-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3288-167-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3288-305-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3508-53-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3508-44-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3508-52-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3968-214-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3968-485-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3980-293-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3980-700-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4232-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4232-57-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4232-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4232-63-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4232-78-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4296-68-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4296-76-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4296-74-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4296-170-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4420-243-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4420-554-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4596-265-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4596-109-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4800-11-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4800-19-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4800-144-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4800-17-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4804-162-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4804-292-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4896-189-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4896-323-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5204-711-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5204-326-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5280-720-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5280-523-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5320-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5320-717-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5632-557-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5632-726-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5792-502-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5792-579-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download