e4bf82d266eca55d017100176e3df79b7b462c8c618d9ca7e1ffd8e66b94f18e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
Size

5.5MB
MD5

9bf11f04e4461091e79e40b234dba379
SHA1

4f121d69441a8a13115b31678fe933682f71c4d9
SHA256

e4bf82d266eca55d017100176e3df79b7b462c8c618d9ca7e1ffd8e66b94f18e
SHA512

60b4a272bb36157f2a32b0127a9d47b5430d05c620f933bcca5d1d8c798f8e09ec1799a89f969cf76ba188679263f74e5947062255c1ee4db487fe93ffa315c3
SSDEEP

98304:OAI5pAdVJn9tbnR1VgBVmsHFdi4VEk0V:OAsCh7XY9LiJk0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
860	alg.exe
3980	DiagnosticsHub.StandardCollector.Service.exe
400	fxssvc.exe
2524	elevation_service.exe
1100	elevation_service.exe
4052	maintenanceservice.exe
1532	msdtc.exe
4436	OSE.EXE
5036	PerceptionSimulationService.exe
4468	perfhost.exe
4396	locator.exe
2708	SensorDataService.exe
4988	snmptrap.exe
2452	spectrum.exe
3472	ssh-agent.exe
3020	TieringEngineService.exe
4124	AgentService.exe
3620	vds.exe
2184	vssvc.exe
2160	wbengine.exe
5140	WmiApSrv.exe
5236	SearchIndexer.exe
5536	chrmstp.exe
5704	chrmstp.exe
5876	chrmstp.exe
5952	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

Processes:

2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exealg.exechrome.exe2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\14507f6ad45b396.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exealg.exechrmstp.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaws.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

chrome.exeSearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587727057860337"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5abac7c5499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e26e17c5499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b63bd7c5499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e898997c5499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

chrome.exe2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exechrome.exe

pid	process
4280	chrome.exe
4280	chrome.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
4920	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
6068	chrome.exe
6068	chrome.exe
6068	chrome.exe
6068	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4280 chrome.exe
4280 chrome.exe
4280 chrome.exe

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3892	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
Token: SeAuditPrivilege	400	fxssvc.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeRestorePrivilege	3020	TieringEngineService.exe
Token: SeManageVolumePrivilege	3020	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4124	AgentService.exe
Token: SeBackupPrivilege	2184	vssvc.exe
Token: SeRestorePrivilege	2184	vssvc.exe
Token: SeAuditPrivilege	2184	vssvc.exe
Token: SeBackupPrivilege	2160	wbengine.exe
Token: SeRestorePrivilege	2160	wbengine.exe
Token: SeSecurityPrivilege	2160	wbengine.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: 33	5236	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4280 chrome.exe
4280 chrome.exe
4280 chrome.exe
5876 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exechrome.exe

description	pid	process	target process
PID 3892 wrote to memory of 4920	3892	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
PID 3892 wrote to memory of 4920	3892	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
PID 3892 wrote to memory of 4280	3892	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe	chrome.exe
PID 3892 wrote to memory of 4280	3892	2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe	chrome.exe
PID 4280 wrote to memory of 3584	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 3584	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 540	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4480	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4480	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4272	4280	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892

C:\Users\Admin\AppData\Local\Temp\2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_9bf11f04e4461091e79e40b234dba379_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e0,0x2e8,0x2f0,0x2e4,0x2f4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe0719cc40,0x7ffe0719cc4c,0x7ffe0719cc58
3⤵
PID:3584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,10133098798981846745,7199398451697738493,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1904 /prefetch:2
3⤵
PID:540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2012,i,10133098798981846745,7199398451697738493,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2536 /prefetch:3
3⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2136,i,10133098798981846745,7199398451697738493,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2472 /prefetch:8
3⤵
PID:4272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,10133098798981846745,7199398451697738493,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3108 /prefetch:1
3⤵
PID:2504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,10133098798981846745,7199398451697738493,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3184 /prefetch:1
3⤵
PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=1720,i,10133098798981846745,7199398451697738493,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4528 /prefetch:1
3⤵
PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4740,i,10133098798981846745,7199398451697738493,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4756 /prefetch:8
3⤵
PID:464

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5536

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2c0,0x2c4,0x2c8,0x29c,0x2cc,0x140384698,0x1403846a4,0x1403846b0
4⤵
- Executes dropped EXE
PID:5704

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5876

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x140384698,0x1403846a4,0x1403846b0
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4856,i,10133098798981846745,7199398451697738493,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5096 /prefetch:8
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:6068

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:860

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3316

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2524

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1100

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1532

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2708

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2452

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4216

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5140

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5236

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5296

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
350a971b3ad3946a78fa0438ecc56534

SHA1
13ec59680828190570f66a87a011e38a6a7b7f69

SHA256
0094ad94546cf5937773e86ac71e4ff6d629bae7ed6147ea7142bbe0b25c4e88

SHA512
a81fbfdeeefe6e757d2e6f7ed9416eae0ec3cba9d9ce9e625f01e99ff90be0d459db859af82b050e29ba6d2e359622af218b9c570141cba9cc02cc745c74f9c3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
854a84b5d0c24fac697c484fa43142bc

SHA1
a4535b635a8d8622c8fe5dadaded7a78d7964ece

SHA256
228d55a135e0f1cac667267568e763fbd157a87845a7bd6f8fe28dfe4c376d72

SHA512
4a3a676e3e98e70346a644c3437ea2d0f48d2eb37db593a6c4024f2d316c675d65c5decfa0532c5c945f0c5badc4c85b0b257587abe5b5142716e11e648b0c01

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
be0e636f7fd3b4aebfe4a1aca349c5c7

SHA1
d8b3a8da1b1487903a48f5e920f1e1b368e29bc1

SHA256
1c08013fb96cc0eff2be0ce8701fbce8cc371e5f141f10c621e6e032c827fbeb

SHA512
48380caec9aae8afedf1d8ab323621dc083d7671a34af0e492a48a5f0104975b50b89386f3a1f54cd7eac79c78a7c08f30038740d53d05644f15e9af46685129

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
34692764b76b6eb94e9aa1f23c62e22c

SHA1
5baf92b72922930d08ed46921b53247e64ab3f6c

SHA256
8945beab5f72bed61c533497f8e8634240dddfa4fe018bcb96c13e9a11ab8485

SHA512
ec8e8fc0351c4e98f787bd5b52fd06c68d7cfc9958c9e0aaf173b9effcb59556a2cd2f37ce592645a1ab95955fa9a899f3f27121b7522394edddfa97701fc111

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
17e19854897f556ec67dc422ab4e53fa

SHA1
44a1ce198a606cd673bebfea01dda8404b4583f3

SHA256
08ff32dde5facb16a3d4e5a58276bac5b500d88b83cee5dc65a4b73b1fa0c25b

SHA512
91b4790d2e2368e50d4d7c1487503bbf301283d0d811ff0a25fd6994fa6a24f3e611254e81afa3d8bb458e27722b407359682bba7c9475b843c7f071b9f963c4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
2e417505a65b1d48d4674e9ceed9153b

SHA1
27f7373f053177653a640ed2f72837d222c92096

SHA256
a9e5509f38c73c6e6f93e50c2bf442ca37f9300170cb4384a14adfcc05a9a244

SHA512
61126424ec58106c2524a5bc4433265d60cd3a1294d7066924900d6bc22764f580126bf22c1a976a30e04f98f2e34764ba5019af19a87e5ed75527cccdb73f6d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
fa30214fd52bc6620553a3cedc2162bd

SHA1
b58aaac5668901ee9aa5665419f858b403ec53eb

SHA256
4ecbae9d670dba65c075bb0ab65d2c9b14a21fdda3529d74531cc0238d4438b2

SHA512
101577def35cc91e305fb5957b154db73746616a28bc64aba89e6d04f5efa35bedeadc0fc16ac2c800b4d64db245a1af4a926f3e5512f851e05ce347ad1b9801

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
caf689fe0d48d3bdc2d94d60ade98f7f

SHA1
7e4b15252244869acb6e509d284834f768f0785c

SHA256
d3d34cde745c6d2eb5ab1c00e1328fc05d620bcf0599ac876c5ba7c27dfca7d1

SHA512
28a5f9f5f35c847c5db407145bea26f2ef3bce7b1836955ce3a33d2b35f7be47185ba5d79513871ce1b715b68bcc7afa11c46b7a139ebd1edf8d046a44fa898e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
0bd85eecca9a5932cce19fd099b398ba

SHA1
a425e365797f42a297f0472d941afe5e46dc8126

SHA256
979f08b7c1aecc8cdaaca4d30f3ba8d572451cbc0debd9a6c459c4c0d8ccb579

SHA512
51b1ffd43bd956e501813cc0b4d1b864c254d0df80b421da0d16b57005daa7cbf83d847597015bb791773253542e11e5c95e84151579fc4d11493a97727fa590

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
9710e8d6b63eeec81a66d5cc51a526d0

SHA1
68487e244a36c4a3ecbd3201d8e3a52cdaa39f99

SHA256
2e9e484c63d8613552fb68d07c381f4afcbc64c5281f494eb99f41b1c56e6feb

SHA512
87043e74643598fad83710f0c6692d4f06c1b039dda344f1a303cc1c7e02b3969dcaef8dbe06b188b6b8b42a39e370c356580ce5360112c1b0ec9f18a01283d7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
a31f813cc38f8ffd49188fee3aefa56a

SHA1
78478be03d8f3d2b9175e3164e038adba73ae5d0

SHA256
e2839f2014019e2ea92f6d5c0fa010e4babd35746c38d0899a337ad4da5b277d

SHA512
b6997a277189d17049349ba1b0a4582feceb693a4ca23d98f4d555b1cf20bfca1b9e356ef311eb7a278c7534e13b2bd89e05820f85488da307c7585499400022

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
3e077afc7eadd4282416f16618317a2c

SHA1
c57a230d1eab0ebf1c6aa1ac3c76f5b0f8ceacf4

SHA256
b8f3d341923ed3c96ea6f9d1701dc98a08c275c89c90596a07031c00480fc65a

SHA512
1e54ceb6ac231f22fa4f7e703d8ec835c5fe9518399adf79299a06bcc04c499cd827e9e2c115414cc2f440b8ff8f52f1897786a23631d6fda20afbdf023567e1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
89ffee91af8caf7964ac709e0ccb7431

SHA1
9c35eea5e49a213de0b4450fbd0881ae975a90ca

SHA256
ee8f95a37ea2e2d8ee5e4b86f27e20948f308fc1bc50208076af40895b67c42e

SHA512
986b58de0580caf2d8233f4bd93d5621ed0b7ea3c064fa423c43f2c949fc833d621d9e221a3bf33148434b25c72ef590ce5c2b1582629948e584d624cb385424

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
52d011cb81d7158f30334661498105a3

SHA1
0a5a878baaa5a61fd36a0416e5c8a7fc613ae467

SHA256
bf11efbd329b1b52665a04bfbf637e1b280929914dcc0a736e6eec63443d6c14

SHA512
af3e92e91927e7e5a59841098546ece052fc6f8bf1749fed34a55b16dd0d738913ee84e11ab86c0d58463820b157fb3473ebbf529be2a6a21f3d2725836d06ee

Download Submit
C:\Program Files\Crashpad\settings.dat
Filesize
40B

MD5
a9c314c99d70b843d50e840f2c5d57e6

SHA1
6b60cd952225bb01b2d32a555f045bd95cfe45a3

SHA256
20fc971605b00e9f82155583ec063ff6d66667add4a24af1759f5534d4e2637d

SHA512
5e6f3631932d1e5d946d7d29231a22f0db62f1eb9406dbc182bf229ae059ac088a90103cd82e286f8d441dfd4d2ac54973abcdf8753458ecd418f2f03a5723a5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
4961bd7b60703d1bb9656c37e2d520f3

SHA1
7dde71b06945904ff7c5076a5f6fe86ca56784c9

SHA256
272a016c15cd8353a648ff592fe3e2d78461f25c4f8cd88249bc9b2dc34f60fc

SHA512
e16bb69931c7c764b62d2430860a60c37364289e06f5e940ab5deae906ed47f755c9e85a02254c57126a11d187059c8ff23f9fe0c9d5e78904ce8f8f2c3064a9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
2b539479258db89ae6fc9677f9c77096

SHA1
bcf8aef31e33f4e8cc774732710a48284cbc66db

SHA256
710d96b66a9494ba63f0918e417607f98487916659acec3a462f2fe262a93c4a

SHA512
f593085b3f35e1dd672f39767abdc6aa8796b5862b5e9310f830aa021224f697259b63e9770381929e1c26263ee3570c35a0912cfdd4529f81571174c8713cc3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
ee533c9d61f74321e0f47d9fe432c09d

SHA1
2ad1feb93f1b95d16d895a6c98ecdc8b65c971c4

SHA256
f1284193b9f9915b04d6fae7a661f174a6da71d1b88af70daa1b910f4ff7fd30

SHA512
984cb720467f856201cc8c69386c0a39466c046e71de711f7ead910ab7d10530fbbb1b6bb333a91ffdcebb2d70eb417b693882c056b6ba875656a8d927fedabd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
ec134ad7bce938fb06453fbfa1b0fec8

SHA1
c41a800d3f5867192e100fa01d982f7ff639ca93

SHA256
22fa4600e876273c36b8b4c48d9baee05da7f142fc1a34c10bf3191bb96ac9ee

SHA512
e25810c207ea68e6b6c4b2e7488d232d237a6f6c31b18daed6e04eb07720bfec1fd7df928355a9021b43e9f3489b1fc43e75eb34e28770fcc32db454fecc09c8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
af8d7ce6776a1e9c17f99f8f4bece880

SHA1
faaf781f3f560b01b0c3d2de507f10d3f7e7f708

SHA256
1e1289eb546636f701e52e39b30863685d99354400b87b1e53c7c6eadb790ff6

SHA512
1dfe96036b20b3729befeae9843b42033d3b9dc68a3e72a1ab9328c9cbc0d11fb40178d4df3d4f672a85fcb5ad08712e301bba52d3abfa94dd28a60ea61392e9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
8c7a191e786c99fc257c527a8c9023b4

SHA1
dd4c6bffb452c39cca817969cd62b9792ebd2ae0

SHA256
2386aeaebf911dff8fb8e331e6554d579ff3572a0dfc65758507476380030bd3

SHA512
b2f441106844569610c65187d596d139205bdbbbaf52731458c48afaeba5826be4746e32b7a80713d0d46ac88ca80454e0971e4ae0e5eb5e861bccaf135edae6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
b9c1134aaca36d76edec478017dc5d76

SHA1
0abd98b46d49da6b6d767a4dc9703cc481be2541

SHA256
aa4fa3b64f4b04488945c38818ea76cd7e0a5db8653bb4f973df5a84b59831ee

SHA512
2c175ae4db96c070d418f2d31a10f527bd2d01900bb1ddf0d21a8bd6ecd13a46ff6cd6ff8a410609bc597727df04adf1d49a78873c71612fed87a6e307bd6dfe

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
8d6ae775feab79a96ecfdefd97298eae

SHA1
bb03d3a07309490551e50bd56af86841be478f71

SHA256
d1d1c2954efe7a3146cacb60fdd05b230af7c7b8e3fed9894ec1d1aed28862d8

SHA512
386c02f7263a8bcbbaa773dd45f128cd2d34a8d7ba1d950a014edbd6efebdf3b1022bf05c8f1e244ab8ebb5911d80cc609c2fc4f67a1c3deb4777231c387f084

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
30f78bc5d55d29ff692d1993a6c60c36

SHA1
e9a4ee1cb9c8cb0ae0705d30dd6461229993f94c

SHA256
7e248703cf838ff94354b9503137213759a16df2c013e315c746191cbe862022

SHA512
85773d8e7cf1d7eb9f458daad984b46908baaaad36a331034b624fe723541619ec3609f12169d83664fcc22e3f32c5b2535f42ac38a704003d1bf150d456d6cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
d29987da10b7076e61f8e7f5f8166887

SHA1
7fd897530f50495965c72d83ae816d75df4cf08b

SHA256
b088d0c6c3e89d0f382a7d5c8f0419309d4ddc560fc1ebdfe7ec7ebb0027dbe7

SHA512
f263d80a10193b2a6f6dcb126d2e35858e1712f23d070f5c48fcf0c2cfca36be2fd3b12a8476515c321ce9dc1c301ba37fd062d6eaeab0c783ccfce2dcb1d4d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
Filesize
649B

MD5
3a85892625ccb99400429a4bd85976fe

SHA1
9d6c5fd1ca1bbfe6d392c609c032716d66d13a62

SHA256
be9e0abda00640344e4969aec39479a5760208cf4aac1833fcfb8716e9d637ba

SHA512
4be124530144c1f3aae7fa992e4317deff6f0b92767f52bb36b347067cad40eae3ced77db77339cfd409237e2ed4afd23a19575bf980d253a5be346b9e55812b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
fe58e92b700a3d19601e8f8176a98ebc

SHA1
58bd42d63c153470a500684a9a3a400ce4fc11d3

SHA256
0cdcf796621b0fe55f0b376fb2faed85b2b9339b64bab20eb705e14f48443fb2

SHA512
bdac6f6ee78ef39cc2a60c20ed25fbedcc9e9f7c2aebcf82630f0f7e5632069a249feddba7c729d4556e538433f47e4dee137ed7f1bfbf0cc872229f50940caf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
6e5a5ad0eecaef4a7ce07594318f000c

SHA1
7332b7c884d245ae6ef8503992645f1ce297299d

SHA256
3f2cfd3129c84a759d885b6ab5797cfdd8e3d671f7aac1bb26580b63dff21de0

SHA512
7ecafac8d94214ae26a5f371c0515ff22c242c2bd9a66943972674bcfed5b27ab854fc3b78ac7b6c8dfcc6c541f30f9406451bc339f8d3ce0140fc4a6a440952

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d7aa2adb8df1919a63c301a4789764ab

SHA1
cc6128ba320dc926dca1b1828d09a1f8832cf4cf

SHA256
5c9ff4d0004a518a01338cbfa61cfb215e59742d9305588f859c9174c843ecb6

SHA512
00db06dce58d1db949e3bb818c0d6c4ad3238afe142f7ee7792cedf0def462e2c3f6c8880a5ede67f70024ce0e31d972492db4081db6c8e38eead5432db5b615

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
00c920ffd2ecdd56e50d31e7ffeb6058

SHA1
f093905966ebed2340c7b558d9947112ced84ccb

SHA256
4fa944215dbff254739933a12444e78dd4f4c441d3ad8fa02b1e9a8c967db514

SHA512
4a23932cf10579dc82a5848dbb3860d79c4be9f1987fe7721cacb39f319f09b1e9dc4b822870091a2aa63a6f01879244a61adf1d2a72e46fa45db8941d5d3395

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
12a226eebdb769c7d265f59703519c46

SHA1
e204d086cbe65393aee276587dff3b6ad0ed9834

SHA256
36ddf6157b1177c8ba77882633538f7c8595cdc40f091223ff2c15640888c4df

SHA512
a4d70747061f9c19c4b0766806e03e85aebbcfe188ea10eac63f90bdc3e1e2ce1e2fef550f467488f51323a5400cd1aa34cfe72cba09b0ca1d77c5d31660c52c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d98cf5b2626b7961b09f57582d72fe68

SHA1
f46b46cee4a22f6ca0af5aed730aabb3cc81665c

SHA256
b420ddd426858b3276e02c673f6800663e309df3f2bc831ed58e72110687fd0b

SHA512
8f1bc662344eb0b85179ef8a7183c12a36031df5d1987cb5fcb1eb6363601d59cbe66d466e946ee5bfbc997557715c5db94e858a47e57fcc709d7160b673bf45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d0abc71c5f72fc3227c94f3c03fcd6f7

SHA1
0a5a91ceddffc5b7d5ff57d0633f32e1beb696bd

SHA256
03be3d5464b18f1b3de5e24056eed9f105881831c52cec9cdd110acc0a3c320c

SHA512
d8f2372f25459dc1e87e4aeca5ae7c425261518939f68897978434241ea31c3b3cef4cba3a745fbb6eb19ec1620d2b9f410e8a89fb50939e03dbddbd277778fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
758c2f2a3fc0651db269beb6aef9d797

SHA1
221afca135ffa87c61289779a03ee4895276da39

SHA256
102db472127c5f8de7dcbdeeff2c54bb855048430b5a72aad0048ad6972e2556

SHA512
64679d849f15d604cd20f01862e665f40ceceb9f6bcb11dd1d90d5ec9aa1e71a31f89238cf2e9309a98f04dc9fa41a8753de06b5a443f85543e9b586f5d151ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
49b4b3ccf8c3d1f3d7a091c5cbeeba8d

SHA1
cabd530fd5ae7b896c291b051402d18e473dffda

SHA256
771f626eb17892f57ca319dd24c64bc00f4b816c069b357aab46e41b12172ba0

SHA512
debe174074d2b964fd25e8cd0c39925270babc4135456bfc4596184206c041fd5af4705ab6d3884d55ad8dd63c8a449b9599c6569d2084fa531660777aa71794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5760fc.TMP
Filesize
1KB

MD5
eb6b4b1b3269954f5eb0b0a72fdba5ad

SHA1
c0029b3cb2e8ee81a51659d48727402d446dcb3b

SHA256
d69603701bd9ae997058a77e4766878806b0609964b1eb8d46d3d980c734ae04

SHA512
7a462f826f2fec896ed9a85b3500677e2e62cbbbba9e4767214cbf8b621c2ce0c1fa391e22f21077911848dc28c8eb5f9eb2706d15318cd338994a78b41b4157

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
77KB

MD5
2326d756c176cbc46ca9a33794d3c78e

SHA1
b56fe349044eebc25385d80b1d297fa56d8b1436

SHA256
50160fdf0ebb9e03ec53e0fe9985146077fef25eeb29830327a0b0b51ce1468b

SHA512
03a4e3baa5bab8b7ef52fb466a89733015c5790736088dcb85fc2db086fa9eae4f65919f1220f20325cf06fc03b8a8820ca7b0ce6a978cfa0a283bc6b6a10a34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
77KB

MD5
f6ff00c18eb39dff8fe5a79c22dc012f

SHA1
9afcac256f9c0b6f98c4a6d1cf7dba0447524e1b

SHA256
73b96c9a3ba9d43e6380f907a94a7a91da96fc79d28bbcaaa32ebab2074d64c8

SHA512
c1c5e96d32cdbc33b35d06a3d775ff9b55654bcadeb5ed705c1ef782f8ea4520877de59531cb2e90393c97e80d75aee14901b947ac6ebf415080694515b020f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
e105807b2cf856315e86fa5f937ae116

SHA1
e4aa3a07f881942dfd8584bd8e56b1909849ef95

SHA256
3bc801235d52099e4e904bfd11c6710b2ecf3672e8826737a651515c9cc11874

SHA512
35b0def4cb2444b4bda196f3716d55e3cb25e59b5a6faff08fcdf297607b50b03de441b30501391f46972eff8dd5ab1482cf189b66c8f3c002c0966da81ac939

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
9KB

MD5
f91c11e6241a0d253d8eebee72f16f80

SHA1
0a45751880d06e96111a5dd7f543d68feff9ddad

SHA256
8722c595c7b7618d0cf9c787741e4f596343321fe72c02a938d245fa96b4f9b0

SHA512
6b1f66f16215213c35c28773d0974ced00db4c3ef3fb92ab495fea06732fe93796bb2cea7838cd206c43454ed4a1920198400984f3f0db9456e3dfadff60d7ab

Download Submit
C:\Users\Admin\AppData\Roaming\14507f6ad45b396.bin
Filesize
12KB

MD5
d8e4822771e11a7c201606a08a220ac3

SHA1
99063664f2a93a23c29565f9bcc06f2e16990c33

SHA256
0e3864a10584eafba3ef2bf155d7f8ba2ec660808a79f8d75269710d5f1c0956

SHA512
4831eaa71e1155a7e5618108b50a2ee50f95bafa08c713ba58b1d96e9834e3e7f9a13dfc0196510c683d9bb52847f49db48e4a9b58ab6f4be4de399669cfaab9

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
412df11abc7474ef54c1bea878326748

SHA1
827eb9127b70256962ecd3fd37660a1ad9df536c

SHA256
66196010629d33193f1eebaeb45c549c6301718a64c5d7cae6cdbf31cacd89f9

SHA512
99299e8a384353f385c79709003dde4f0b89a8e021eddb58755effc7b7f48e48bdb5b3a25e5f20d2c92e98eb9df54d8222fafa0f8baea5d2a8ed0342f9a81fc0

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
6d4ab15b36853b3bd7fe4e10c0bf371b

SHA1
7b9056ab1568b10de068f1da5edd950230a0a16d

SHA256
94c5e65631e3149f75c1873a2df3750aecd4dfcd0c9a87316995b801126f9d4f

SHA512
7f4934ef1d7549c54b2d430713733e81317692b2da3143ac224cc6df381c0bde3a5c1c5a5e8cfbddce1955824ce84d11a14bad9d9c805b7c7b9200896da507a9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
471ceb306aac53a1be8edfe1be622f0f

SHA1
bd6a28b9e77ca501b8c3e19d83254e30cd2a8b0e

SHA256
f7d8c35e26f7be9608dbea032d3a8a1432f240c2eebfd4034bdb1577b1dc7352

SHA512
5a98db6a58bc89c9847d9afbd2ba2ae7c049356a44d97663c5124474c0cad50bad0af4e4fd36e67adc7d2bf4a45ff18323cd714078bf760b138e53c576dde2a7

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
a7a08c4ee3db221ce90484c73cbaa88e

SHA1
4776044d56318cee3111afc37cb1de0a6c3fb577

SHA256
bff250289101878f275b0d8d32bf5cd87ed3b291ae9fbda9f93ee8efb4dded86

SHA512
aaf4cf51454ab4b3e44ee324e655d8b01848efe7d98ddd03f1a3372412935cd049acb5c2dc3535e3b9c67efefec86a3ea3be452575ec8ed09ad77f38413073ce

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
bd760aa53ebf427b034b09b4e0f669e0

SHA1
bd0c03ae1f6982a9418b989cd6f2e21fd5db4e69

SHA256
7ba7fa22a1309bd8fcb168d2d6b892b95c681240ccaf9207cac4ab5bf5eb894d

SHA512
d5158a6dfe051a4a37a404d7eb907306ca1e3185d9b92ef7e8175a5e512aa338dcf9f03fbba5c18c9f5b77ec33f795c9db639d61db24fb8ceabf8c10abb36123

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
f1d2448c06e14b8739bcdf6822ea85fc

SHA1
1b3a9f69ea9a4e759a58a2e8828c6b70ca4a01b5

SHA256
9dc380ea76854ce6047cfaa899c0bac613433fbd6d950e0d71b315e512c8a697

SHA512
bb4fd6ef196f2ec5ae20c0bb8147575499c2fbd197e8319cd5496ef63d759a88332a21eda4795beb2cde3d51a75126ad1e8f39ef91718de47d2ab7ec21c35878

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
32e836d50a8a65a04976571ecc75c4f3

SHA1
086c7c5d366bd415899182787fab5454cf15b0a9

SHA256
c6379e54e1478b31906807f544b514d6e147934d7e5ee880b0d06fcbf6a6c44c

SHA512
ae39569491f3cb404e3aac5bfb80de848f2a3ac15788a0b3a94deb5ed758992da5b942ea817d632e3a5102d7ab875be6a66f0992c6a2bb91949b53ee846e965f

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
c532ad380c8f688ef1eab133997dc891

SHA1
64c9e774ea10fd1f95a106b73bdf9e24c208bb61

SHA256
f42687d1a2ab22dd8931bec11303191b4254cc6e38d15ef8c12a1861c019c8f4

SHA512
cee7b3a66249e50ce7415538238c92f95941457f55b32c143e0b8f4ca417a52180f1df5ad357f0496b5f10a0636e8252897806ec8dfcc8078e49ce8e0fbf55eb

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
489db47ebc4743af262c825d5856d185

SHA1
a75ff49adb67b7c76c6f6fece14a52df380b4f0b

SHA256
eeb4763df34d5e6bd46583dd4857c5d3b75e3c3faca655feb89ec1bee0f1450a

SHA512
e56b31988115d8b839fd6405e6b955c946e4fae8adb9f15984e71e345d81ca6e0968acadb3732c9dacc481a95479598d07d5521d2d8e5f7b0273f392da0d94df

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
4ff82cddf9e1debf2f0994b1a1b21e52

SHA1
9c4d69164b47eed5a29e9b3b9ace2e7f50e981e9

SHA256
ad6b83aebbf5f08508644c1e61a07f0914246d5c32f077b5a7d9ce44b5215f19

SHA512
9e68b17e6e8b16c755b4b35a8350abd5bba75d297ed6ef04ef2ba349a7c3f5c874cfe13701bb2ae5682be5d6f77ed7b372786df96a061d923bcdf1a9687ecf9c

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
6322a7adc9c9ff70cbf81ffbbdcde1e7

SHA1
4ee6ed3ddd54fc0566a0fd30c255bce88971b349

SHA256
5f9ab02408b7f0330fd04d64ff68a378432156328ef047d984d2d2d3308a2718

SHA512
88a152e977f26766a4ae7902a1d8c246dc3f45cfd2159b65ffd3a827ac7b98cd3443626cac86ee606c85cdca3997e7c41d0dbbf7fd74c14234a32c4998cae234

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
10713712a868ef132962c86b6ae3db2b

SHA1
f0f3cc2eb31885d2d5e2bf9cc249335dced72d0b

SHA256
ba6964997c36e566f2f4335c6fccbe2766622264aca559409e8016f58932f8ac

SHA512
4c13e0a3076ba079dc743643a1e59b205ffe5d1125b1d2da9a57442a38c59c074648147d168e74e5b014abc28d29703e697ad8d0d5cb490e5bf0d688387f8a39

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
b24a3182947bbb7c48e39d28646941d2

SHA1
910af200602bf6796086e9547717560f1379b0d9

SHA256
736f3d272dd8a5bd9aad1f754929dac2a91beaf5ebef90d4b6c7906a38d42b8d

SHA512
32a134f9523a0b04d7a7132906eb53495329a92fc1e9d1c01bb402f7783a6a8553c1d1de2fb09028c566deeec41b95f7b5f72cd452476e9ef8cd883c2ba4df18

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
ab545d1c676b1b26368626f63bef92ba

SHA1
60ad5e18371b84def2abcf5e2991ad0cf75ff7ca

SHA256
d5f8e3597561843dec2fab3d47b65129f10f2319475c8c36b69fe19321cf57ba

SHA512
a8b68cc24d16045b0f88cfe594df8d9bf49678ec0f137bfa536f418abac1e96eaa85157fa088983ca65c1826151e1dff26b6acc15383d026560daec9b44f4a3c

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
65c1da61ef6b087970e5b72771032357

SHA1
506fc202e328d6fc26f019461bf63351d55ff582

SHA256
e42db77d34f5b5f23558d93a1fdd1396da3826a62ffa828ee8ef9a1116f1399f

SHA512
d26e29e2cb40bdbe60def6f5899dc47d6483199a4ffdd9b8f9d522597b0f4bee9d751c482c6cba84870df23f0ee643b3c4d8a2936409ef89455c64ad9e444cea

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
1ffe53d01520a9a2b21638d74f801d04

SHA1
7f942bfe2ac30e61d5f4ca0c6401078a64f3c365

SHA256
930494fbc5b3dc3c057ae5ecab979895e3325ffec7c2a2dc96dc2ff89af72f8a

SHA512
3449ac006e3ff82b75bf06827a3b281240c88272c1ccac444fe8ee2bb624a8a6f4e44a28627d533a1ecc37192f82e224d95b85dbea56af08638caa464eed7660

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
1a30ddc2360a3677759c94888452770d

SHA1
ff7a3425c01dee6d1d02eb924f4b567262b30960

SHA256
27f87c8a91fa15ef5f218ead97d5fb875e98b88f926086b303d329ec14a101f8

SHA512
a2ee0ce2911369de4ee78d334f07d64cfda74a75e09d9957f2bf8db4bc242390473cb0a1d192bef6f82edc47cf1f8837246265bcba17324e25857576442c239b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
5469b9df10499e438861973ae5ce07a8

SHA1
5e06402f1ba83e44082462de2bd40ba7b91fc326

SHA256
b7bf79dcf34841647c3fdb445ce2816d16e0ddd13cad9ebd348fc24d188d1037

SHA512
479045b22b12269a92d36d46a4bc476da34061cfd33c4c315c03a096c19a757aeed81091d55847ec682d27a0b56fea3491bddfc2c40464d026c1bdfe52352034

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
d34a3905dfaa673730269e8fd7402c70

SHA1
c95d4b82421d66c1e636ac3725a4bae346b163ef

SHA256
3d7be8b6b60f82058826927495ac94778b6240a3e605214c1ac3011bb5c60004

SHA512
686e2fafd4d6adaccccc584e4b9f3ee7f2fb9c8b45f9818dafbc31ff1ecc1a0bb7cb6e6ee42682b553be9a9feee77bb878e9d97ea45c9fcd760206e31294744c

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
d36e29233659545c872272912a2a18b4

SHA1
ed37cc829359bdd4761ab198716049d1ca315655

SHA256
0eb8ad92627610924616ad0ab9014769d45f443d032c75ae419e94eca8a8e27c

SHA512
ce51be47fdf32bbda9bbd438202335c939fac8e87bd11698875695ec9d2e25432bdf53541de0460e923a06c9514b7d1990e1562867b1c7c551acfec51d15f845

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
1a3813016f098f68ca704db79fc8f6e9

SHA1
cec0c673fdcdc7f5764da77437a2458abf34fb6d

SHA256
e8223211f70693fe068e01062784b80a38e8f50a24cd710f36d345138d345c2d

SHA512
1454ffa3cae35e24e465f3520781de308e5a8f0b792f3f20e1bd0f0803f076bec978780b34b0889ce8868505512215f68c1b78bcc249ed438240810f4cc60975

Download Submit
\??\pipe\crashpad_4280_EUHFSNQEDALTMDTH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/400-84-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/400-62-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/400-86-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/400-68-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/400-71-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/860-514-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/860-40-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/860-38-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/860-30-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1100-106-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1100-103-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1100-97-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1100-733-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1532-127-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1532-734-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2160-306-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2184-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2452-300-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2524-80-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2524-74-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2524-82-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2524-126-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2708-298-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2708-668-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3020-302-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3472-301-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3620-303-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3892-39-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3892-6-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/3892-22-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/3892-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3892-0-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/3980-535-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3980-52-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3980-43-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3980-51-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3980-54-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4052-108-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4052-121-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4052-109-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4124-240-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4396-297-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4436-163-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4468-165-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4920-10-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/4920-20-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/4920-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4920-502-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4988-299-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5036-164-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5140-308-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5140-742-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5236-309-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5236-743-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5536-505-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5536-575-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5704-518-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5704-753-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5876-536-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5876-568-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5952-563-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5952-754-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download