647f5aa5a2ab133264ee460831efc8b0dc6a1688d21256f413ab83b0dfe59b0d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
Size

5.5MB
MD5

452313d742e6babc7a60a194117a7128
SHA1

a69330ac385dbd776dd49ac1e5f740ccbde8f42f
SHA256

647f5aa5a2ab133264ee460831efc8b0dc6a1688d21256f413ab83b0dfe59b0d
SHA512

67288998e8fbd940966ed4a69f4e7122280d6c277537b0139eb05c61ae9f40f63d67f3a544c9dee92943cd20ba01627f7358366c09f6c356c4c4dc91521a87f3
SSDEEP

49152:pEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGfD:9AI5pAdV9n9tbnR1VgBVmEfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4984	alg.exe
1928	DiagnosticsHub.StandardCollector.Service.exe
2464	fxssvc.exe
3240	elevation_service.exe
5012	elevation_service.exe
1216	maintenanceservice.exe
4788	msdtc.exe
2380	OSE.EXE
4968	PerceptionSimulationService.exe
2648	perfhost.exe
2288	locator.exe
4148	SensorDataService.exe
1556	snmptrap.exe
3548	spectrum.exe
3992	ssh-agent.exe
3240	TieringEngineService.exe
748	AgentService.exe
1700	vds.exe
4492	vssvc.exe
656	wbengine.exe
4960	WmiApSrv.exe
5244	SearchIndexer.exe
5684	chrmstp.exe
5720	chrmstp.exe
6100	chrmstp.exe
6012	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

alg.exe2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\176bb1b0b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exechrome.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7ea11199dabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f77d5199dabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e62f34189dabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da9c03199dabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a15b6169dabda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043a468189dabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f696d189dabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000623a01199dabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exechrome.exe

pid	process
1820	chrome.exe
1820	chrome.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
3600	chrome.exe
3600	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

672
672
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1820 chrome.exe
1820 chrome.exe
1820 chrome.exe

pid	process
672
672

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	100	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
Token: SeTakeOwnershipPrivilege	208	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
Token: SeAuditPrivilege	2464	fxssvc.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeCreatePagefilePrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeCreatePagefilePrivilege	1820	chrome.exe
Token: SeRestorePrivilege	3240	TieringEngineService.exe
Token: SeManageVolumePrivilege	3240	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	748	AgentService.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeCreatePagefilePrivilege	1820	chrome.exe
Token: SeBackupPrivilege	4492	vssvc.exe
Token: SeRestorePrivilege	4492	vssvc.exe
Token: SeAuditPrivilege	4492	vssvc.exe
Token: SeBackupPrivilege	656	wbengine.exe
Token: SeRestorePrivilege	656	wbengine.exe
Token: SeSecurityPrivilege	656	wbengine.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeCreatePagefilePrivilege	1820	chrome.exe
Token: 33	5244	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeCreatePagefilePrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeCreatePagefilePrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeCreatePagefilePrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeCreatePagefilePrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeCreatePagefilePrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeCreatePagefilePrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeCreatePagefilePrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeCreatePagefilePrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeCreatePagefilePrivilege	1820	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

1820 chrome.exe
1820 chrome.exe
1820 chrome.exe
6100 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exechrome.exe

description	pid	process	target process
PID 100 wrote to memory of 208	100	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
PID 100 wrote to memory of 208	100	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
PID 100 wrote to memory of 1820	100	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe	chrome.exe
PID 100 wrote to memory of 1820	100	2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe	chrome.exe
PID 1820 wrote to memory of 1552	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1552	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 2308	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 3952	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 3952	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 956	1820	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:100

C:\Users\Admin\AppData\Local\Temp\2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-21_452313d742e6babc7a60a194117a7128_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a0,0x2d8,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe92f0ab58,0x7ffe92f0ab68,0x7ffe92f0ab78
3⤵
PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1908,i,6002553254328258942,13337188807594599681,131072 /prefetch:2
3⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1908,i,6002553254328258942,13337188807594599681,131072 /prefetch:8
3⤵
PID:3952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2156 --field-trial-handle=1908,i,6002553254328258942,13337188807594599681,131072 /prefetch:8
3⤵
PID:956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1908,i,6002553254328258942,13337188807594599681,131072 /prefetch:1
3⤵
PID:2912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1908,i,6002553254328258942,13337188807594599681,131072 /prefetch:1
3⤵
PID:1196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4396 --field-trial-handle=1908,i,6002553254328258942,13337188807594599681,131072 /prefetch:1
3⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3040 --field-trial-handle=1908,i,6002553254328258942,13337188807594599681,131072 /prefetch:8
3⤵
PID:552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1908,i,6002553254328258942,13337188807594599681,131072 /prefetch:8
3⤵
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1908,i,6002553254328258942,13337188807594599681,131072 /prefetch:8
3⤵
PID:5600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1908,i,6002553254328258942,13337188807594599681,131072 /prefetch:8
3⤵
PID:5400

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5684

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5720

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6100

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:6012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 --field-trial-handle=1908,i,6002553254328258942,13337188807594599681,131072 /prefetch:8
3⤵
PID:5812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 --field-trial-handle=1908,i,6002553254328258942,13337188807594599681,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3600

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4984

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4836

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5012

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1216

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4788

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2648

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2288

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4148

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3548

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1704

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5244

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:756

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f90498b7865fc3f0b55c8e69e090fd8d

SHA1
f5c0c9a3bf2c3b532cb212f27869cb9145c59a6e

SHA256
959e45bcc970d2edfe7dcfbdd9e2476031abddff718da82286b8f9ecffed6490

SHA512
828bb77d96e2c5005bec3ebd19e14696392dcb71eeb488f2e024c490d655ce2ea3d16293966f0cf7907bc2dd81d1db6c2ba34e61dd2d0209de8705e99249b17b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
c5183b9f2b2bbdf521ff4d51e70b00fa

SHA1
a05ed49b7e39e35f183429e1731a030a5d1c3409

SHA256
ad97cbaecfd3102e721c7447fa200246ff702643b607e3e935cd9e8bfa2c5fbf

SHA512
fd57bed4ada5d492c25a1aefd5fe9db65a04a73053ab59a9c5d6741540df46f37dfc8cd59a0d3c4e276f987ad0cceb10686a584f65a6b184cdb728dc021baa06

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
a8ebbb43d9f5c22d75cf3c86e3cd83a0

SHA1
82d830ef9e370f602a299e10e612d091d89091d7

SHA256
1f36c5b62b63e78e46b46f8650766a3747a437a9c915860668ec4c8da006f778

SHA512
f42973aae3051ce40676fda8ada10aeabf3e16346f3345e44440b7ca5d0adc1e46f3eee737161f94d9ed36e5b524a97908caf0c46fa7b088a1e5d0b40e46b0b0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c922c401d95def68039f19eefbe57755

SHA1
0131abd7689f632e4de835f215574b7afc4764f2

SHA256
1fdddea2577c7695e5c5b6004ec2ad3b2336d22dd5f0e3d910cc989b4a1f5d1d

SHA512
8d70beb81ec894accad107a19fa1185a5bc02055f1fcb00ff6dae7c408ea238a6df59deff4f9346dac819f38713fc02312a5c78d8720aa5c7b89b6c8c38a469a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a2f9541c13f57d4e6e5b6dafacf6bb7d

SHA1
ab775e196dd4391cbd951fa0524fcfb793d718c7

SHA256
5a7e497915ab39f920ffc7bba10ea1aa10087322c34cc982fc2f7ce605c9a939

SHA512
e6dc53ab1aca1afd6a1af3b66fd22eab8b3ce6718627dbde551d9f726d4f43d59f0954fb1a83434eee9830ca6874327e73fc000fe3eabf1e490bc359b2c0506b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
70df81e6b8049b5d83fc57da0a39d889

SHA1
9daf10bf4dd437af720d5d8192084ef685759db8

SHA256
582a1e250b53b10e1f80325b5ce80256ab1eafa4b5f2cd2b88a09695d338ff09

SHA512
86e6e21b9cd825423ab6b3dcb766cd81405cbe5114cb1de32ff3c5903117826f1a7dc94026da899f0737df2c3a7bf5b52223a1b6b5be52f60fe2a0c8f8274fa9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
4cbfc26a43a52cf7c43742afc8094415

SHA1
83f8f41ed9d4d5b58dc668f3e5c6e18866b37621

SHA256
00b673461a9513621b30be70576d038e30978e7daaf25e4c2ddf5194988b87fb

SHA512
c12859ed7b177a16ba59254a48bc7ea7bbd05c7171a8655f5e7c6ad888115bf45654f446bad8c3b921c7b9f5b753dba75331ee16e986a029f0e608174f678b9d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2ce3f6fc9e9d42ffc3143f8849e3d00c

SHA1
75329f1e7a8458a4a4cbce261fe1b02611cda7b5

SHA256
a2b44f5c014af30daf15e7d1944b0e5fe7f807dfebe422738ccc35104aa4dc08

SHA512
31ab0e3759977b22e7397b43b639c2255fbe93a3449fb20b6becf10265291109c629935f3b6cf617f439d6213fd56b32e4adc2f65975b8c8506eb7f50242906d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
d6b3a56c8adbcd26489b6956ec9ac809

SHA1
0ea13968bc65a2496bc91c060caaa4586ab8ff85

SHA256
541f4a0b7ea3cfc78fea44b5c01548b30258964ad5c1200ee58422a05d086dee

SHA512
077c944f4fc0cd1dc1611bf7c6673134845da27b53d6c4cf9e10fbfbba6d50c96c0a2d9b5cb6786cf810adf9e99bb24d2e1074b7725a4f5c86d383f218a2d316

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a19e553ffce7549b4ff125dca69b6b9f

SHA1
64a207fac6b4dc1f6ee3426f49a1b34ff2494d89

SHA256
ce0c9a121854a2bc389e255cea01c0c3b51252fdf8c3bed4dff10ff6c8bc4fe6

SHA512
53dbebd5e7241fbf69276cee3c2bbef999df85b9d4ad1d58fde9a4d3dc2e494c5e781865bef2d7c9271127496791e099123a304764c263639d003ea06aba89eb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
dc10b89faaf5d7c482ed308c4bc64092

SHA1
7d83061f061ded696e518de18977b7e59577eae6

SHA256
7bcd6eba4af03545b6925ab9d640605ecba1186f4f06f8bd9a8b06e0477e30b3

SHA512
98dc6e97c6955b3a5f6af2dfc538017ec6a3565eeecc7b1f886fb82f1ebbff83263a19ab6fe916acd58e968139087edeb6e2121a862dff0b083506983fab6cd8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
59fe7e61a6717092ef9548aeee6fc55b

SHA1
debb0b46e18f0f7916030df59923afb91889ab44

SHA256
04020fecd7656b84a94fe6486d34bcf7b629ae0a9dd343cd897c2c20b7704e92

SHA512
a4de8a675f5c73e6dc2f69a46a10b8a4892ecf5ceb97fcc5dcd1506dd814aedd52fad369706293fd2ec0a204e55d7324483b2682c461cf2faf10a21e06d014c5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
027fad0755903e0b1e285653ed2dd1d4

SHA1
55108d2fe53a64d8acdff35622a6ef00c1192350

SHA256
592a903e8eaaf7b782f4e7a7dcdffb2fe7c1704d15e03b9e05c14b595118f45b

SHA512
d532801309db473b0a01f7d1945c5ec17385947d6f891eefb7a69b2653c0389860344a0f8ab4d2617895e44fc7d6ad09fc327c72d4df6ba65cb9694d3177ca9e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
817c094a3c6d0fe5ffb099a56e75ec7d

SHA1
45807830c79d129cf45e1ddaca7f17e2acf023a1

SHA256
765592d36fdb9ef96926dd1e62439f1d0de6a814d208ffd9b47fe854defd6711

SHA512
bf756f8e111b5faefc9bb31caea898395441abfeded5f9d4a1a0deb3c45ef4911d11f08742f4c99812629fe2d652251827dd723c03a003c79d0702acee878861

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ff0b8015191aace12e63296e1b0f18a0

SHA1
0a5442846d34c115a0a733f11ec1821d0451f689

SHA256
8352b231248eb37be3e25814b9a7f04ee94c231a4a6292645e62f9e4cf5cf948

SHA512
52303182cd8e9b962a7db595762f21d02098f8907d2550bc54f78d2ea10cf242a3fe9fb91712352bac5bdc7635b9078111c75c81a248d55e26bfd38bd47c07cd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
25158bab70596cf9579be2173ee72c45

SHA1
b4418050f81a315f92555095a652950072f32a55

SHA256
30b48816152c79c0751191b14c9f978817048868501c320d2eef1c81b810f263

SHA512
0660e2b2e2ba1270879398bb9f662d5c5c4631b30cf6c2859f999bc51303f2e5dc53c19be9f396a740e2a35b8d92ef3d437022217540b4bde4bcccb35020f93c

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\748d500c-264d-43de-ad39-0d48d8040d68.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1a424ef3582c8fd9344d41a71cda2ff7

SHA1
549b5d4a4a65ca15fa8d911add46b2c9748e0370

SHA256
8bcd6ae3900a8ed8632b8c91fc838e9184d8aad2d398576d34d39245a7b8bc81

SHA512
54b80d151a834c46a444e317d4ea847314477af417842b0508818451ff0804f1962416bf12ce3899c6904042c00099307e666d0063e6069d993e143eb7521b7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
2cd879c3b1b25f881f4b7ab71b67a095

SHA1
e8c477526bb5bdddd659fdd44606060d83e703ad

SHA256
d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a

SHA512
95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7b8ec62556db25fb9f649ed04de23daa

SHA1
e74843c25ec11dc8c6db4ca8bc82117d341c2943

SHA256
e838acce72970f1b09313224fe9718a892a823b6b36f353b2ea1a972a88e39ad

SHA512
fd89f61fe2d49fcb515bf9bff4f983537a388cabde272e9eab6ee5be6e580da9a041dd6582e2793cb1de3533370460fd3cba368a95d30d19eeee303cb29da5fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
01832f3a109b01780332d43def517012

SHA1
18e3b3ffb3952fa6e96af269e8881d1e97ba7793

SHA256
076e212740906f786429c8436d3631db54ddcb46f3ba0a6b73e6fd18dfa96cf3

SHA512
1d523f67403d9bd19ed2d84c3738ccee74a54e65dc6cbd06d6e5991f05d67f1eec141f9e8b1c6519193aa0cb69032b0f16b43754489f990935dcb9b4695b1576

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c0f90cecb3a3bdb3c11c438277e52ec6

SHA1
2c62103fd6e864f4a3123f0b0535665420d6fec8

SHA256
565eded4b844d7451d40e38aa62e495685faff30bddc06f6678f248d32f0e390

SHA512
c2ba821af32cdd6e866b4092057db75fbe1521e057f1af87a3f7624fcedccf5cc3bd471cacc6186d0480c10484c94df1c00c7d6fe2392dcdfb5d595e8b1f6b81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577985.TMP

Filesize
2KB

MD5
1f497c78bb1cefe5fae1f2d3e5c467dc

SHA1
12ec3f79d43fc239252d3812f8f0c2edc492bc51

SHA256
e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc

SHA512
f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
175be385987f3997379342b9dcf1f94f

SHA1
33658b9b83ce562b0f193aa9b5f1881d6bfa0603

SHA256
681205a6b4479f395d0de07b3a5c6093717b4669f0e10c8155d4fd9a0951857a

SHA512
94ee04c55578eec3d1b21b3124af441f9ae5926399b6c64bb8d9f364c7710f3fa87d32fad48cb5d4fd16428674c620debae81550c97a4e2e5cd84b8636601663

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
259KB

MD5
62d81746ef2644e14618ff57a08aec99

SHA1
3cb6cd0d83b2377e0d6c926f64a36119a683d9da

SHA256
eb6ceb67f2d06c4a38d7b6e01e28b44c3c3d05b66410dd7da658e87f127ab337

SHA512
74ed270c7ba7c559dbd577d49cac700b1ebea6c2e23a0b90b7aed53772f50bb055dae182bf7367186c4a29d7e90e54dfe23f5757d55664c4f126dc36143399e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
8ceb82da28b86ea87a3759573ea991ff

SHA1
718952298dedfeaa374859f73e99452a129a7cef

SHA256
9d01e1ae10d22ab4387acd4786cb0ffff747315cb609713e1151edf2d2ea99a2

SHA512
01bc638eafaaf3a22a4e570a86fb1fb11c4fa132a707fe552c87159ebf197fba6e22274df21f76bf57bc814a1408cc1fd14d720980ba9c1ff9de05d856164b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
fe3efa322efe4419f3191a589d5015ea

SHA1
fa4cf284a99292e2d1f77920519bc9ab3a94d4a7

SHA256
4adbdad1c8d5296d07909abfd108691f40b6163e25c69e3c23810daab2aae7b4

SHA512
39104978f66eab52cdd588206dd39c3db9fc9cbbd78bcf274c00c82f81bc69fa7048eb4f2e6201ad1bd622cbdac549254b4c3893ad62207bb26e3b0c9d73eb6f

Download Submit
C:\Users\Admin\AppData\Roaming\176bb1b0b4b1389a.bin

Filesize
12KB

MD5
1f380cd90bd2c819274902ea6375c174

SHA1
7e0c510c545098f72022d4362e976e03ddae7b73

SHA256
0eb20a2574f6f72b1e54fcdaa5cd1b2675a58aad9c15788e8ef0f99f2019a7e9

SHA512
bc32dabf53b7edb862bed63fc966c08645f6d496a3d65bf317ac4acc7e285fc0683d8a748775601309daa1515416e5a3c571405bcca99328d09993a17f071946

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
110507a5d2f11d5f256ca684075880d3

SHA1
16e0cc7b9532b92e5f1b2ab25361565e78dc98eb

SHA256
76fdb9afe60605f8f5024e5ac7195cfded7525ce713460b358e7ee441fd5491b

SHA512
b4116bbeb2b6a754262f280c83a41cb45d29e2183919729b5f238f25b35fbe2468bb5bbe5250f6b32c93c950b255d2fa6fbda35f83caedf621f77a705c4eee84

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d2b00d4e544bf365b7da62c21d261398

SHA1
7cdfd6aa24b99f9efe48cbed8cb1779afc411185

SHA256
7cdf3f93d4f48b5aa4bdb2434910c3d78eea0fb6580d7f41ad1c046c796b8390

SHA512
995f512a188d160f45261e1b209bdccf4c6268379b604932a5bf6f68faffdc1a05c0473ae9b37d601638ded226763bb6039f6bb274fcb36caa099e9422111bfc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
58e3b6dcc85e6b9579e75d512dd6e333

SHA1
611b62e7c2ed2b3c3f5b57c61437c7ff3abc1843

SHA256
93e5794ec0948f67b5e085ea354aa97c1f16181a1f92c8fd8af75c526a4050ba

SHA512
21f66296d2b019cbe83544a3c3868c083e62f806e3289edd14fc8e42cf5b78aaa26cb5902463feaf7a8e5bbe8d448d865d2de003c25031a40875d3d5b803d2f5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fdd5dbd4ec9b60f0dd363fdc13eb7238

SHA1
b565ae29a06405acf5d09d028f2ffccb5353ffff

SHA256
cdb998516d5add36c06bf3f609d3c3ba9bb661ba515ffbda2a07ff3c201a4b48

SHA512
51584895280d353d06106e35e96a2f7837a8b0b482ef7c57c00265a86272c2f15ff358ec87a0e857f8c5326524f008cdacfaadd85dad98e13008e3df5af7ff1b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
26ec1dcef9c440babadaa70bb1be8446

SHA1
b70989910c887aa42b10a8bd437483c8f45e837d

SHA256
6a2a5291e21daa6f8be866e23abc0ff0c4993c14a6375b5207fb2113a83b630a

SHA512
9d138483301a7abf6c8228b7db17ad4da1783e453313ee88d165e569c3738f2778bebc65e36d0cd3fe311f7aec4038f2dc9a8b19d7d981ebef8aedd7718954a8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
61902aa8ba1fd8cc0ce6bc5325c77902

SHA1
747adb4f99e2c5da18159237edc4b8aa9e468386

SHA256
c41f458c6e2f826008ec479e80d939ac8eeb0857207f66ddda314d7e081353f2

SHA512
a0aa6fa1a5c0ab9ba39ddcce5160cfc86f6be3a8ccdc2d8a5c75df1dc5f4d68c9bae34dd9bb9d8a70a0389cba5cb13128aa630419ee47704f5a63f79b9f9e515

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
63375b372deeae5a54cbf0dfeebb2fde

SHA1
d96b7b272f72e77c5ada694c3160bd41b6888d13

SHA256
ba6e2fe4d769dec291a253b005589e3406c555a38f7f1e0b1341b6db9b4e4985

SHA512
56d38fe1c2597f1b59331ad74d0f38a9761dd3212f96d0d7580d6cf7526b5b342d065af7f4d7e1efa380d97932c14757c2b468879abadfe8f3301c506f8210a3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
56bb8be56650a9442cc84b590f5000fc

SHA1
6081adba25a04f380950c1079b9f7340d1322a14

SHA256
2205f53ea7f1c061a81f7cca239f6252590e5b645a1e37dfaec9c1f6ed787baf

SHA512
ba32c64e35759d34ac778263a8984c821eade8b83f9e2d0c64e710683a4a55b28a004c4d35f723b26a0203d4529c2633875dd80e484c03eb345bcce01b0bc611

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
32342fb327f751dc5cef64bb2e070adf

SHA1
c8b5b68ce6fe56c0cfbf6adf4552fc3d274c978b

SHA256
0f377bcfde10daaa5317aa631c7a4cfea3ad2d168c1dd30f78d2d375706e6893

SHA512
cb1972573f2ca418a2fc777257f91d1c459c9ac6c4d52db4b7d328953517c82eae15ee714c2a2a006b4ad1dc3cc31c98a21a8dd529e069c0597407ed6308ed73

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
27a0a64a6ee1cd2c73f0d45323d7459c

SHA1
3416e7241ff30f70cde147f53b8a3b2b6aa16d8f

SHA256
11e2297ccffb5f3f58c4c2df4337a344ec96c8069665d5f9e234649d8481f3c6

SHA512
31e9fe761b7414bfdfa7fe93b718a36ab4eaf2b676e903034f503323327ca9619cec0738b2622104fc66937e363ff7a15979013b76853c4a86d316bbdc1b2fde

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e053030262befd3955d563c1b4cc7b86

SHA1
b148e1803823ebe011a679941ad4f80f6d0e9964

SHA256
ead2186c5c7faeadc5b9ada0fffc22f36b2037b1342e90009f3c6055c993da1f

SHA512
4360619c76ce09488a65921a6bd3db480abd21443a217586afb499891dc70f02b7a4ad6df4ca4862f40ad7e8e3499fa963516db5771e250da1158ff29ffcc642

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
92a743d264158ef8d007daaa095ab5ab

SHA1
01a37d6abff75cabd16c2406e881e1915ffe1e05

SHA256
31ccfae5182e67e4d8df22f72af228bd9c81f0e4f6e80edb481f2b0463dee3a9

SHA512
4961084694520ab2727f4aaa1e4a85c4c607826b91a6ae765d2c03293ee4c2e1bdfdf51760df7c59ea46a0eb388929e49b0c38739c7a1afe95dc9ea51d0f35cb

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c8213a34a5a94be8e834f511564cd7cc

SHA1
11e3dbe01cdfe23a1ef5301d5e0b3253ee937fdf

SHA256
1772b9e1c612808b86eee63985eba94cd80c4627df9a02f43a67d36d02d3d5a3

SHA512
0cc8e647edeaa1f3f4bceda0c362083d2a1f74760973253b792054f23181f23ffef03f1becaee4d9d3ce60e0bfb1d870047e958973616ded58003c83d0fb277d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d4403c767d174cef2430350f26d5230a

SHA1
ea9ac058bbdecccf6f052fefec27fffc150da129

SHA256
0937ed4929074e01b8c16abd9b45fee67035ccea08922a751210decd0a7bec40

SHA512
724237f055ca6f6e63248e01b1bd3629a48c04f139598f16ac4c7b60c6d94f493e89bbeac809801d9b3a06fe4fe6319ad311f07c8a71a160aba55801f6c89a66

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b364785089fd6110d5a8a9136f408a8f

SHA1
face6ad61a2665d37ea3fe54e310bc7289ae8d23

SHA256
15683940d008c0ea187367ed60d71aa5b8597cc14c900c4bee3f06c5ca0b708c

SHA512
12f17df72067356451cee9955b162b53e3057eef997a5f0c7b8944ebdacf6c4addb92c7f6c8347428f91b54b8aa8d05747fd80029a1fd51139b07b0acd5db842

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
64b5e1c9e314f3e78d18ccf172ac042c

SHA1
a636d23cd081c8e559fa5479c9f73dfd97f74a14

SHA256
f0f01f1b629915214ee984f0c98e64be9370bda561500e8eb3f5e3c5b5f0a6dc

SHA512
4778323bedfbc5d4a998fc6e3d27228e3daa75d9124f8827ee5a7cafee179495180a66261126f8f6a24f780cd89e3be14719c6258e58400c30cef0510da76517

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
5568c7a675e19268ba9e174a8615609a

SHA1
e18039a6553feacc91a20b9beb9858136435c7d8

SHA256
cb835f1947e4cd3ab7fa9b501531fa9f692346ebc24a69e113553e7ba08e1320

SHA512
819fa248de3fbcc53123d6611802e4d02bf46c1dc57b74c60d8a8499cd35de8418d5da6120429f1cc5e2f395b7e6542136c11c8ae3f947392062bfb862c43e6a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1254189884bb67d7d388c3e2f813585a

SHA1
2d4b10771d309e7cc63cf483830b32ae2e5ebfef

SHA256
fbe77bd886ba0b409a56653318466d65841afa74bb4ac0e7da29c9e08040b9a0

SHA512
c0466866e897bf1a0ae5147b104ecaa1d9d7fa48ede9fc9cb508ab26def49070ffb681e9a9dcd10538480d676c7e89bc1f0b66eb65c3adfb63daebb70857c538

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
b2c359ffd4bf582baf62f6e8adf87a6e

SHA1
8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79

SHA256
ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d

SHA512
1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7864e1bc77db52ec8a86fa9a709d2215

SHA1
24a6cbfa9f9bb66dbb79371ff609802cedbc82e5

SHA256
2b55d5b2572ea250aa0e1e68d83bd8119333a1ceefc0c1918735ae0dc652fbb6

SHA512
027a2ac85e6048fa4180f6c63d92d65960d350e98bc17c2d374826ce1107f4eaaf7048466d3e2746e99459e61b466f74fb28043e303bb07a5f0ab641f8f1d237

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
671028c7fd048331ba1b34341eabb436

SHA1
52e9c9bcadc7d18bdedf961c8b656d3d295cd099

SHA256
c7b83ff77cf4d9c280e1da2d0c395b7214ed87d9170d9e0ce7da0f2a53d045cb

SHA512
514d781f92318c476ed18daf437bace3d5d6fde66f84e9d2d70ce65a3b6fc79dbf2f6a67a00a7459a54dbc65de10a0c30a97a2decc2ec0b65b54bf3dbea01768

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
98d86a870330b0f8b2b1c4f80dfa0fc7

SHA1
9b651338d57833a3e15900f9de885072abe18ad0

SHA256
347128c5170ea30b7a1ebb516a8ae0c4509e0c202acd1b3061da48a611a210b4

SHA512
c4ab6784709ed911f412ef89dfd39d989488356ae425c7ccc0bcc92af092654b0d8999f1dbf2d60c76046683e125cc4266402918aed10bc150245dd921eb78ed

Download Submit
\??\pipe\crashpad_1820_IFQFJDEXKTNMTPES

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/100-9-0x0000000002000000-0x0000000002060000-memory.dmp

Filesize
384KB

Download
memory/100-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/100-0-0x0000000002000000-0x0000000002060000-memory.dmp

Filesize
384KB

Download
memory/100-23-0x0000000002000000-0x0000000002060000-memory.dmp

Filesize
384KB

Download
memory/100-28-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/208-21-0x0000000002000000-0x0000000002060000-memory.dmp

Filesize
384KB

Download
memory/208-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/208-165-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/656-782-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/656-299-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/748-261-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1216-90-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1216-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1556-202-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1700-633-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1700-283-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1928-52-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1928-65-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1928-46-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2288-178-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2380-286-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2380-135-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2464-62-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2464-56-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2464-115-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2464-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2648-166-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3240-162-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3240-112-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3240-236-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3240-549-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3240-67-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3240-73-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3548-544-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3548-224-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3992-225-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4148-626-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4148-190-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4148-522-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4492-287-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4492-779-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4788-117-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4788-274-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4960-785-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4960-318-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4968-298-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4968-155-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4984-201-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4984-39-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4984-31-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4984-40-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5012-86-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5012-263-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5012-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5012-113-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5244-786-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5244-330-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5684-534-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5684-596-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5720-789-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5720-545-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6012-790-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6012-570-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6100-585-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6100-566-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download