780f2ee084dc5117b0c565bc4a5d0103891c4bcb01ed71a1728e56d95c631951

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
Size

5.5MB
MD5

c8ac53ab59d1859334d5b1d5aea7f8cd
SHA1

557967092cbf48571365392ac2f9a75455601777
SHA256

780f2ee084dc5117b0c565bc4a5d0103891c4bcb01ed71a1728e56d95c631951
SHA512

b14fef3808f9f5ad27450bdc9d2436a55eb03cb035b8471bf499ab7f4c4e9afe68c4643a162a46b56f737cc35ce33d02f04fe1c8b8fe6e5a3d1937d1cf0a0fdb
SSDEEP

49152:DEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfE:fAI5pAdVJn9tbnR1VgBVmGqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
1456	alg.exe
2724	DiagnosticsHub.StandardCollector.Service.exe
4692	fxssvc.exe
1928	elevation_service.exe
5104	elevation_service.exe
3760	maintenanceservice.exe
4504	msdtc.exe
3352	OSE.EXE
4392	PerceptionSimulationService.exe
1940	perfhost.exe
5072	locator.exe
5012	SensorDataService.exe
4156	snmptrap.exe
1168	spectrum.exe
3144	ssh-agent.exe
4360	TieringEngineService.exe
4448	AgentService.exe
2132	vds.exe
4872	vssvc.exe
4728	wbengine.exe
4812	WmiApSrv.exe
2524	SearchIndexer.exe
5788	chrmstp.exe
5916	chrmstp.exe
6084	chrmstp.exe
5408	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exealg.exemsdtc.exe2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2bc31ff8bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{3B9828FA-6A18-4F1B-A570-1997BB7D5CB0}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exefxssvc.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a65f1529f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083485f29f8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000edffd428f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c639ef28f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017fd1229f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005296b729f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

chrome.exe2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exechrome.exe

pid	process
2864	chrome.exe
2864	chrome.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
760	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
2864	chrome.exe
2864	chrome.exe
7048	chrome.exe
7048	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2864 chrome.exe
2864 chrome.exe
2864 chrome.exe

pid	process
648
648

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4856	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
Token: SeAuditPrivilege	4692	fxssvc.exe
Token: SeRestorePrivilege	4360	TieringEngineService.exe
Token: SeManageVolumePrivilege	4360	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4448	AgentService.exe
Token: SeBackupPrivilege	4872	vssvc.exe
Token: SeRestorePrivilege	4872	vssvc.exe
Token: SeAuditPrivilege	4872	vssvc.exe
Token: SeBackupPrivilege	4728	wbengine.exe
Token: SeRestorePrivilege	4728	wbengine.exe
Token: SeSecurityPrivilege	4728	wbengine.exe
Token: 33	2524	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeShutdownPrivilege	2864	chrome.exe
Token: SeCreatePagefilePrivilege	2864	chrome.exe
Token: SeShutdownPrivilege	2864	chrome.exe
Token: SeCreatePagefilePrivilege	2864	chrome.exe
Token: SeShutdownPrivilege	2864	chrome.exe
Token: SeCreatePagefilePrivilege	2864	chrome.exe
Token: SeShutdownPrivilege	2864	chrome.exe
Token: SeCreatePagefilePrivilege	2864	chrome.exe
Token: SeShutdownPrivilege	2864	chrome.exe
Token: SeCreatePagefilePrivilege	2864	chrome.exe
Token: SeShutdownPrivilege	2864	chrome.exe
Token: SeCreatePagefilePrivilege	2864	chrome.exe
Token: SeShutdownPrivilege	2864	chrome.exe
Token: SeCreatePagefilePrivilege	2864	chrome.exe
Token: SeShutdownPrivilege	2864	chrome.exe
Token: SeCreatePagefilePrivilege	2864	chrome.exe
Token: SeShutdownPrivilege	2864	chrome.exe
Token: SeCreatePagefilePrivilege	2864	chrome.exe
Token: SeShutdownPrivilege	2864	chrome.exe
Token: SeCreatePagefilePrivilege	2864	chrome.exe
Token: SeShutdownPrivilege	2864	chrome.exe
Token: SeCreatePagefilePrivilege	2864	chrome.exe
Token: SeShutdownPrivilege	2864	chrome.exe
Token: SeCreatePagefilePrivilege	2864	chrome.exe
Token: SeShutdownPrivilege	2864	chrome.exe
Token: SeCreatePagefilePrivilege	2864	chrome.exe
Token: SeShutdownPrivilege	2864	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

2864 chrome.exe
2864 chrome.exe
2864 chrome.exe
6084 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exechrome.exe

description	pid	process	target process
PID 4856 wrote to memory of 760	4856	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
PID 4856 wrote to memory of 760	4856	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
PID 4856 wrote to memory of 2864	4856	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe	chrome.exe
PID 4856 wrote to memory of 2864	4856	2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe	chrome.exe
PID 2864 wrote to memory of 4196	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4196	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 3696	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 392	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 392	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe
PID 2864 wrote to memory of 4448	2864	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856

C:\Users\Admin\AppData\Local\Temp\2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_c8ac53ab59d1859334d5b1d5aea7f8cd_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92b39ab58,0x7ff92b39ab68,0x7ff92b39ab78
3⤵
PID:4196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1972,i,7517028918433942761,5901004876900023942,131072 /prefetch:2
3⤵
PID:3696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=280 --field-trial-handle=1972,i,7517028918433942761,5901004876900023942,131072 /prefetch:8
3⤵
PID:392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1972,i,7517028918433942761,5901004876900023942,131072 /prefetch:8
3⤵
PID:4448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1972,i,7517028918433942761,5901004876900023942,131072 /prefetch:1
3⤵
PID:1356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1972,i,7517028918433942761,5901004876900023942,131072 /prefetch:1
3⤵
PID:2880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=1972,i,7517028918433942761,5901004876900023942,131072 /prefetch:1
3⤵
PID:5568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1972,i,7517028918433942761,5901004876900023942,131072 /prefetch:8
3⤵
PID:5680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4292 --field-trial-handle=1972,i,7517028918433942761,5901004876900023942,131072 /prefetch:8
3⤵
PID:5732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4832 --field-trial-handle=1972,i,7517028918433942761,5901004876900023942,131072 /prefetch:8
3⤵
PID:5468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1972,i,7517028918433942761,5901004876900023942,131072 /prefetch:8
3⤵
PID:3364

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5788

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5916

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6084

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1972,i,7517028918433942761,5901004876900023942,131072 /prefetch:8
3⤵
PID:5968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1972,i,7517028918433942761,5901004876900023942,131072 /prefetch:8
3⤵
PID:6712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3904 --field-trial-handle=1972,i,7517028918433942761,5901004876900023942,131072 /prefetch:8
3⤵
PID:6720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4284 --field-trial-handle=1972,i,7517028918433942761,5901004876900023942,131072 /prefetch:8
3⤵
PID:6820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1972,i,7517028918433942761,5901004876900023942,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:7048

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1456

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4316

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1928

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3760

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4504

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3352

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4392

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1940

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5012

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4156

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1168

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3304

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:6096

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5136

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
185a03a14790cb05d8080d14786bc2ad

SHA1
3bb63503a6ec4a215e804917daf8111264420758

SHA256
c01e26ea98cbace9b6762bd2c414a99d0c555e260f2028bfa795557636b1b10c

SHA512
be6ac20354db0bedd7ec3327e2a8b1e385fdfca21782d55bc51e47553d816a4b47a52cf8f56974901bfe53b8a4e92ee1bf6861072c85a1293b53242ee3ba96ff

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
e31a2e9df79a7cc756c6c5b62833cfe8

SHA1
d0b8bf8ddbb79ff7af7291db7daebdd347552d24

SHA256
b03d853b107add12595f16f0bf8a5805329734a32600057f590ed4eecc8b0947

SHA512
617df1dbf83f0b88e68bd382b09f07cbba3a349df6971755c539b1b8c6b602db311ecfa665b4eb1bcf561d343cb3de0c713ff6d702649138e481d4002542f91f

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
9815845148c6154231478295781d7346

SHA1
4bb234818f673223d673182f612b985f93612eb3

SHA256
74e2f4acdbd508c3c73738f870d41e60dfdfc99ffc5ce5ba9a81bbd58fe1227d

SHA512
0ec50f277744dd70641e98b2bb75f2084fbef939380e1c1a550eddf5e6a93258351ea6e1e6986f4d3573fb545bba6742fff22f52249e62b9fd8ea1a40d48cc59

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
b47da857ec1e7992ca9ad3833f634f93

SHA1
5a88009d7192fa9844dab2ac2872db66d84ebad7

SHA256
a8be4431ff9bd03508f20a642a5d31b6d774e7de916c27ce6eeba2879b455f55

SHA512
647e99ceb151000bd475c7c74763e90b55fc10bc3162c91bf7a787cc724a4520e9047def3a53dd7a1d51c7701c7d31d10059020523d3df005366c94c3b2ba9e9

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
b58281285049463f6172e8345f3080e6

SHA1
12f94003e344d8bab33065d923f0b5ce7132c73f

SHA256
7b3f526a66aefd0b72561b60c8866b76927a9f7502ada4c667392f7ce71e5920

SHA512
642378827985ab8aea5f8239112a4e219ac7c67303d0d30415df6a2451e903db88e8254e5ffc7da002c920e714b2805d4c05a1bc8b825e5ce5e7b1ba1d4dd4bf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
6d4e740783cd089cf3e1aa8b9c5b8293

SHA1
e510f121412137be8161e5e84244ce98e1e5c5ce

SHA256
4d211b54c54643946293a18b89e0fa2e78f67c3d6d79da4315c364eab7d5b6ed

SHA512
0c24dd301c2a1d241493993737f2ad95ab88379daba90f6904049f333e8641de4017399a39c7a19bd1beb2001049574eb157a3b54ed3e13d557fb6c8367c2506

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
f8796010cb356499212fc583090ebdef

SHA1
17bb45edeeb5ad21f8cfe6ff6c01d450c6522dc3

SHA256
918fdeb09c654a1b1af3071466df1d6daee298e1f2eb94309ee626e279eae661

SHA512
1ee4174737e445ff6cde4057b619ca2b60a0c073d9143b12c1bb9385ef997adc1a93b1b4f757276b8180aabdf1f554dd281f09e7ea2203fef0de74c6e895c202

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
dd9eeed34629a5e158315726b3ff9c30

SHA1
412398bfa04a4175e984ed2577f5a27641ab6f9d

SHA256
3e845ebce752fd08ca075fd57837f403ac37f8e8d7daf3d4bc64578b80e11420

SHA512
5d3c18ad1d735d41afdba57b67f3dc5c800e8ad87986de2bfebcdb87e25b3e77a48955fe070918863613a3a07edb91c53c01a7b1044377af5b8a028d21ec5ec2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
66542bd3419bcd984aa97c0cc3dd4498

SHA1
145427edb0ac368db3ddd3bc1a5db5ee419b9ad1

SHA256
a02c303c99a9c5470c8536aab615c792fc6fe8b5f90ae6a4143def517d7a68ad

SHA512
5c49d8ed000184fc101c74d9cac5a8226ddbfee70a3bdb4d7bda2f5f3849b4136b86b76f467336c129f081b639c636e9639c377dbe87c5bc832d382e4902cf5e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
9dd38e1e28537dd222c61fb55cab885a

SHA1
fb8f0f8da6b6329c281aba2120f0a0e03a090194

SHA256
e0e1cc087395af0e6ab0963a52b7062ac6050ea911b4ed7a4b7c17e14956a6ef

SHA512
e11a5b30056f018b8f1872e0c6e617338562054f91dc82e6fe60f579c1511fb824fe4e80b604a0aa40d65bda2cc747d2e700575c7f5a3087d4b608c61d0294b3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
d7b3421d0df38f0f88f76e49714f13fc

SHA1
2cf98e440380d3b42951f31ed2162b08a3bb9279

SHA256
c88e366c61a0b22920580dd34ee87353ee6f1558fde807a108727a7d748000a7

SHA512
46c4fa2cab34c9ba0a09d0301cf92d62455d54363abb21c9666dcdc4dbb0095a57454a5e7de3502d88523e332508ce69ad698508269d03625b78dbadc3f40938

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
2b06a9895ccef09973e56fbe0803cf81

SHA1
a18f020e771d27890aa3e0ccdfada422642dfd9a

SHA256
6fa9f04e925692cb15d6fab34f91f7fb3fa8a076aa0c35cf1895febd600515a3

SHA512
16afe83b7e3e476e5f64ba26a4e4c820af2fad506e1323c0dc06407c7a6af94cf76093ada595551aec43f0f4ef654e410458a99e103e2afaff3d103982927a82

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
a231d8a042b0d44c36311f6388b8294a

SHA1
22c408052b36d2bdee19c4a11f55a7397d01427e

SHA256
363adf0f3a47abdc54b9a0189484ed53a6831aa69461d18e686ced4453a72646

SHA512
bc0d790abf577cdf244ec6cf1c8f2e7b9d73715a2bed62e5bce98f39815dee40f1329e0a7ccf68d877b8692701213bc3799ad0428c14d8f4cddbdf475b8d1453

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\d3344456-80d0-4047-b50b-52b9bcd479ed.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
fd4f91f4e973731b7b27d44be3a4c0ef

SHA1
80ffcba12670129e4452bc8b145a173ec485b6f7

SHA256
5656cfef5dcfce4db285a70361f13a0fb14c2999927646715cf4f3800f183410

SHA512
cf279349d8c733bef0144681f8339163725a42ee83ff1887aba8a3a446d8648bbb9beb42f1c09c77997203b9d8acd21fe3a9ffc0c2f356c012d7be3a32aee5cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
772424160a740ab46f10d75ee3f72e87

SHA1
ce1d08ca4145f6a14ce3727642af5a997f73d1e5

SHA256
00ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84

SHA512
920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
aa8d2efdb3a0084b5773a52aa78d34b5

SHA1
2495e0c956c2915d03b765e54c7fe63a147c5bac

SHA256
314d8879b4bdc222a51264949349c496f053efbd380e9bcd3076b2175454f073

SHA512
84731d18006ed8d8e5bc2e031008c938dd4865e13aa31acd826c1657218bd00a67effaa8ff1ddebedbc1b9ef7dd3b54c6734a39034387105db479f8cffbbc5f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
27a15919067581e5aaf9fbb616949238

SHA1
46a99950141548dc56e9f14080c38f2a5149abfa

SHA256
3b1f65905d5ecc171ea9a47fbfbbe57333b915b6958673653922a28226419968

SHA512
d887cbfd05d4412754b37f0d183d407b7dba8fa9cb0cd7eb4478296e91103f92dbb60e3a794404997750a13dad8a2f66531234505d97edffa207001aead1faf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
7696fd8c87266a5fb1fd47544a844573

SHA1
df12bf1fbdcc0e1e567a265811d86706b6e01fee

SHA256
d2ed830cde84956d7648fe810d264a3e57390d892f4524d5559f7a01d2d739ea

SHA512
d77e4d30aa5920968c67ecc63e702b4104874cc29d66ba8c6eaef5b3a13e47ef2cdeffc08d86d4244fd1b63347e01c62e810a28c1a225e5f0d2ff8712089b9a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe575880.TMP
Filesize
2KB

MD5
62ef0b2d931dee49ed513961ece66048

SHA1
75ab8dd2d029abdc0701a541bf3076082b6e0c26

SHA256
2363d110b62787968a21ae43497d60d50ad3e2a713303aa36834d810f996344a

SHA512
ab8379f396349faf8b51cd6ef4cb31c2d16da749b9902654227175423872fa6d81447d28926892602644a35b30f8bcb9412ee90b0eea93108cf6eb1b8dfbea94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
1f5f7911956d67aa47a9009443655661

SHA1
60c9a195f61316b1f2fac8229905adb958c79bac

SHA256
14f434eebbe1553c079e4987d6bae3dafca360a95d0079d7c07c6314905adbbb

SHA512
fd2a041dc7b1c2c1ccf696e15a27235fc3ce953e450601b8e025449fe1049502a2e86efbd953e67e62296f97560a86bd886bd315411d08d4f51b45ec7c99510f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
281KB

MD5
8e6b056e41d16de1b40709c642384f5d

SHA1
ee00388d6e85af546cf8151691d05c83a6e157a9

SHA256
3bc706a9c7073dee43e65336b4b6abdb71b4c22a5a5a82941ca5736ab3465564

SHA512
5e12d67cbcc7f60f26ff4f3c3cc2662f399ec67879cc72c823aa7c7c0a4ec670605598198384abed753fdd3561980941363c88e164309c5242cc12f5e2c5aa96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
131KB

MD5
e40faa557bfce6d8ca142c3dd8d3ced7

SHA1
78d362f8417d4c87483f944cca696e34fae2c151

SHA256
53459b16552032202b3dec7ce54287551f667e826696dbb24f6014f78b0d9a15

SHA512
917b21d1d3161bc72e1d16160c126ff4bdcdda99a2d3ee5c02078964fd0fe854404bd460d1836fa0329bc979936a08c3c470dbb25e20f24ee8c3b252026a7c36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
53d187ae28c0b55a896b1497a2480c0d

SHA1
44dd10245b51758bc722bc2af76cd8cd4344a427

SHA256
4b7292c5b460ab1392f6834b404730e3b979d12d4e0421eb668edf9eeca3bbee

SHA512
964150657c892c1283a7c9be93d317ad40e1e22de9d1456b71678d665faaa1cc464afa3ddc2f30a6ca174012f493bd246efaf5bc489798138f2530ae45022780

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
73a06c68e9790a6753dbb304291aef8e

SHA1
66faa65c1e6489344c1cbf5b565a757642001aa9

SHA256
1027a48e0fc10d5a3a8fb65acb77b8695354ce7424272220061f68fe4e9beb48

SHA512
31654b93660f9c06373c7a421e74364c3bd06c35775b18a5674c80cef64d93bd56d09cd324fda7dfc8174e81b7304a1cc07216379768d1f723cdcdaac58850b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
61f3fd414e491a5691cc2506a9e382c1

SHA1
2503ca917bec85235177b644b22a2f85878ebc41

SHA256
151483e464c2d7f7df81861e917c3efdca7d4bf1db1dff92068dc37ac0f52d6f

SHA512
f783ed5c6f49ed709bad9dc9bfd2c3466e369abd722407c3dd53c9ec8bc681cbb77986d7837abf9d635ae6b21d2f23a3b51d06d65e5a823a2d5eb7eb706ca620

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57cdc0.TMP
Filesize
88KB

MD5
af552c2614ca3e672c5cfc2ed58fe750

SHA1
7f6bf6252f4907033b2670b2ab0d48612f666f9d

SHA256
15431e20def644a0a42be83cc0674682481ee33467dba95f73f7474d8230dd0f

SHA512
a8672d0fd0fe19f564d51bece4f089c5d4805a02f915ac2251a77c937a51d5092f211d21f7b5cef1d0624d430d1df0ed946ad8fafeeeb070e6bd04c49313e42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
ea62ac2c483126641d7572f98118d76c

SHA1
494519877aa6f170f46eead3dab531096b7fe12b

SHA256
1338f8e0dc99f3ad4c209a4bd7f2bad666a5422b162eaf302e0fca8b9957931c

SHA512
fe0d8325ba60188159272d24ff2de4f70bb869d6327a9ae56dc367d202400457ff3220dcf9c12a5c9577c3e25681fe14ae1d7ab788ff0aa91b7f2a0e9679632a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
d11f2d8a5a16cb680b53022969d84522

SHA1
46fe7eb48f845ccaef8fce254300b88fb241d391

SHA256
2d9dcc826aa85bf7f652086b53eec167671dd41d4873a655a59d92783b2f91c5

SHA512
877283603f65e273e03b635390ded193b18199d308a090c0f1ac5052c747c39e34e81ba69cb785fb0e4ca78c7a5e4faed1581879867c9799c64e7b65591f41b2

Download Submit
C:\Users\Admin\AppData\Roaming\2bc31ff8bb5459c0.bin
Filesize
12KB

MD5
d4808bf098925892b1a050eb4ec0779c

SHA1
c9affb56b593a0749128f4785c7e42f428a553cc

SHA256
7a24a4cd91b199461a7e846df7ebb34ea4c85201a6236a2b94410b83b176965a

SHA512
edd37a804739c5e13811cc9494a44e1e96522b71bd84b30604e413dba2ea606425a9f7c24681bd2b3980feec10732ef39eeff8581156aade9e03fe9dc00b3a7d

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
5dd778b570d64478f9b5a7d36dc7987f

SHA1
235fdeef44483d5db407ebd6a2af12dca6f323eb

SHA256
67ce5e94d6725b135931f0a78a15e7406d8f499d265b3238e3dd553239c20a21

SHA512
94f7f13fec63826a141938f801f108cd45bc0fbdb7d435a39ee6083ba102b3c5ac97166b99fd7fb3b8f6fa0fa0a4baab2d63c7a7362c095f9ad011d80d3bb21d

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
45bfe3589ddc2b080e1b1cec779290be

SHA1
fcdcebd8b96d95919a466298764fab50497e9015

SHA256
db3685df34883b920638b50e5cb3e7435f5dcb01d5147c6b1544409b2597736e

SHA512
a00466e3249910137dace4823ea181151683a31f06f01b6f51d3a34e3c1b48303fc7728b01236793aace12894acec83d4bed6de05b7d10f5e9e1167d3f0ccfaf

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.2MB

MD5
8a5a00a80333f1ee279a6eaeeaaec615

SHA1
6dc4c7880d6ac86d2b4203bf052ad94c7a67294d

SHA256
80ed22870e87d0a13a58b5111ad4761b5e3d0cc98a2460542a79584fb997476d

SHA512
2de3c593e716dfa793310bcb33d3039e99af3ab37ece8a1eda16a218f6143fff13cbcd94e58c48923f25bb69068101f457d3035c928dbaf6572e01cec2bf9999

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
f67c90d1da40370646133bc126f70c2d

SHA1
3559bca6088b1e82da3fafabb97f190cbf4c052c

SHA256
c6137dd4b61dcdf930fcff3ee62b0b73e49782067db750b053f231abf56d5afb

SHA512
f034afe904ce950ac68dbfb1774f94f92371aec6524c5b9c9887cd02b103c819275a87441dfec8cf160a8556a6a40fe0ef18a8e07a46c253c00a4a21b1f1cbf9

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
0f449af1dde1b3a71021ed531e58167e

SHA1
32e4aff2c8d16ce3ea309d836e8343939d2415f4

SHA256
b154ec9e085cc425aae00f5b359609d475ed55a5030fea8ee6b0b917b2616ae3

SHA512
c93f6f3188f5eb4d220bc19b17cc0bd28671051cd410d5ade8c000faab2e40bc487e5f4270adec5d56fd561bc17a8154793eecf7c5af8a813dd360a0995c816f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
ac16571432efc4297577a752cf8bf3c8

SHA1
48d4a54be73ff627f6ac8841ca96a998d0f73ef9

SHA256
b442a2d2f89f5dfb6244aefe89e8c4dde91dc2c781711d5385bd2f1fbff125f2

SHA512
e2185c0dc4a78e628fc0dbbc951dc07b8c00d8ebbb8e2a84ae4ae5702662e77bfcca20d8d729d6482153fe4f63ac62829e35ad14aee7e3d00d68a3abb548e3ea

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.2MB

MD5
2ce55e468d1e16abe45f3186d7d67067

SHA1
bff305f460f5d7b0db7295f8104cb2895cb1b9da

SHA256
bca4232aa319eaa1e6e214e29f84292b099f7cb68499bbc79636a069de8ea9bc

SHA512
a1db4b61f77f1238b947a54a3f32458fa2dbf4aad1d250283249cc4f657a0fa1051b1139a5b0d476f1d206ac829cdca427cedc8c37b0e0a15f690ab266e92e31

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
b29b7d231898bd54ec6b4acd896eb907

SHA1
644280de6f6c5c8d8a3550228c81e78cdfde4e75

SHA256
6e82b90d168120039eac803438ac2af333bdf4ae04cf9cdc1adc8de21ad40545

SHA512
3372e7d03d1649b2a92802303bb6085c69f4d1a5f0c0034699d8d3fbb0bd78796fe1516b24e9d7ee0994b95761f0cfd923e3cba0fd072f5a6dcf24691ab0cd35

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
7a7b2dd0b784edb8818a5804be465c69

SHA1
0ff6bbe3c59e6174515cb490e7d41f9101067ac5

SHA256
4ddb38be5fec1e5e24e6558586a92bab074d475aa92f84eba28cbe095a285405

SHA512
7b9fcaadcdc96460eaf2a67b0e69f5c770ae40cc3db67011138e193703d24b99cb703920c314b0293d67d8a238a77aa4ee756278ee02ae70df66f76a7cdb7b86

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
f9191d1b217a6e3c0f138913582f71ee

SHA1
f52f015406f6bdb27a70c635e2dd253ccd0d19ff

SHA256
98485d4dd325a1c57e6d1956ea373604bf4e475f6a3baaf05aba7392679478f3

SHA512
a19a0f93531a1dd50667f5e0b44ae75d639af96dd915357f1a4e47151efd82b31db9d849cf1e9e4254a502428c5757b19cb34b06d31912bd2fae3cc9ec1bf554

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
29bd8aba77c2d313a63ef0c7c5eb5724

SHA1
efb1824b3d2c9a0d077b3c8b1f37d210d4735c15

SHA256
ea87051cbfc1ddd828497df8000a91275081088f6f1a10f692b0f654b5b99f75

SHA512
30e2b2dd89a59405ec4ed7d13bef2aa4421b3d8ad791d09fe89f86da0c98d2e9483187a44b6cf7278b3db8d2feb7eee7bcfa44173476cd57a4ae25cdb92561f2

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
e39544463b4b1fd204607d31b9f179fc

SHA1
438a9b7ced26aa7dbcd3692a5b9174a7694cb317

SHA256
2c1f3786545cfeceea2eed2690f0ddd60c87a7de9428b7bd2e462545b127d4cf

SHA512
155ad501238e3c1cbf2c9a3b59cffb341aa355d3f5cef5f02f0fd2ba7096407091da217b26d3a720cc58ba67cbcb8a22e1fd6922ed40f6fe00c28c1bef7740f3

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.2MB

MD5
dd6b1efbfb0482202e0299d03d27552d

SHA1
81b628603b1976d557c58563a0c8c9d783ab0b65

SHA256
3f82c329f01ce9bee29c376f5293fbdcd185d502c03efc36e642da80fcb457c1

SHA512
1689a62d27022d078df4e9c2aeed894126fdbe4fa5fffba7ac2d6fb1951f9e937f09180dfba3606af4140935cb100bdb6adf790ab8d059dd8536d6759cbd10a5

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
efd6d1f3be1cfe9dcf784aadb0e13a69

SHA1
a0a65d374aa026ba866189358396816db40f098d

SHA256
c4b39e11cc9ecb2ce08de1e2b30b128b215c10747961320af57fe0b42aa8d4e2

SHA512
0063c95048eae76a8fa6274b11c5f68295ddfb4eedc4dc051b0989dcba654707928ecf63fd71d28458be0d8f93f38c76754088c2e1516c4e8d4cb71488143a31

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
28c607845aa82511de8675e6fe21419f

SHA1
ecb1c70e0fd616e0897d8e230d5008e09f89a187

SHA256
4873041f7ad9927cc99f0d42718fb6e4a27edfc771095893852b2ef063f89ca2

SHA512
bb4dd3c9f0f4706f440e9a1de5ce43de35785b6bf1d563de75563369c1af0d38ea60fe4f6713a18ba3ffcebc0cdccdb11388465eb7fd5044ee353fd80962c858

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
b3b423952a949742817fd6758097d5d2

SHA1
2a71d4dddcfaaebb5ba87c2ad4712eac1d9fba54

SHA256
cda316d27a2f64622a6bff01b24f86a912c1cf1b1154df70a6d59280c5e614a6

SHA512
3574d5f4908f5dedf6bab8b37d43841bbb19ef3a4636ed4965b672be079e5a04e1ee76dac65255e3f398c0482d012e547a2afe2373e6323b90365c6b260940db

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.3MB

MD5
dbc3a743d85f3fc4a6af9a523e8ce34f

SHA1
8240cb07ac0a5099ad920bfb6aebef71e4ddbd12

SHA256
a310de883da9a4d92484edd0a29a2600d4c26ec9520d8a2b045e3c3c172ed914

SHA512
588463b46dfae45b746709242a10df507db483a41ed2a5843d350985548b4e8b7fa49f99521023cb6eeb34b892443727975fd8a826a0ce9405e13c31867aa063

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
9850dcce7aba69e94f1e692283902b3c

SHA1
5e32a2bff3fdebdea853bc437e9ed58c8f63a4da

SHA256
3f6488278425defb6ce16eaa066fff10759dc222b91f3325d8247503bfbdb4fe

SHA512
712d5914c222305cef5c90847fe5c8588b69e106561be471760d1bcf5235f94196623992cc67dbebb8ba00735d758821939b09800b4580a1a32d2afc43dd3442

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
257036a0fb3d2768f2801e5d32b9ce30

SHA1
0634d123cc54fe889f179f59136e47357ff7f7d3

SHA256
fe6257986f35787b1ef9628e36a811d3484fff46899b61381086da82e363c462

SHA512
381a451ab3b3c97eb3546554811f0784e5341a7f668b9ceb41dc077d34ebd26fbb29b2e0ab21b2a52b8637b3998943c14ce60380b8525378d37ccdceb0f0e5a1

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
9f22e8eff5147c1cc09aa88118c54012

SHA1
456a71a883f5419a8199c2e782ad42469301792c

SHA256
65eb573db610b05d711f86ba0b7ddce290feffc32e732bea30280e336a698deb

SHA512
4feeefe75926d9068a872174959c871f19b0e232b043015a5765530ab6291a84be8fc186728bfdb86645dbcd79d2f24a3805787bd565cf75f5728b3a5ad45e43

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.4MB

MD5
a0c147797d16f93312cb50d69d08d8cc

SHA1
f454007c528c080401d7e9e01410c093d032da6a

SHA256
570fa71c2e362e37fbdcc7c525dc126fcd8b493e92d7d169442d9a83c422e3f5

SHA512
ef846e03b5befd319962c65a95d8b76021343f1833a59898d0489625f2b8a41ea00694e498d193967047cc568cc949cd54fcf936650e51b3b3452a35d34124bc

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
6e48afe5ff4e34bfc2f246359cee38cc

SHA1
2ce0347ce86972c588814b378ac13984241869d8

SHA256
8dd47fda275520159977471fa3448e5bdbee75dcbb5bdbb4ce6b84e86fca522b

SHA512
28db5df9692e8efb0a03470182ad978edda37bf3cd73051e6ac9f2192e7c74b2982c3c4f7d0460e5bac2d77f15f8984ad44442e779f5807955ed0a60ea7e2791

Download Submit
\??\pipe\crashpad_2864_YFCHVUURIHWPRHMO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/760-11-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/760-572-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/760-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/760-17-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1168-286-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1456-35-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1456-575-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1456-26-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1456-34-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1928-66-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1928-415-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1928-72-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1928-76-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1940-278-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2132-291-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2524-764-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2524-296-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2724-53-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2724-44-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2724-52-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3144-289-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3352-276-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3760-91-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3760-103-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4156-284-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4360-290-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4392-277-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4448-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4504-275-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4692-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4692-56-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4692-77-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4692-75-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4692-62-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4728-294-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4812-763-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4812-295-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4856-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4856-6-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4856-22-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4856-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4856-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4872-292-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5012-612-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5012-280-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5072-279-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/5104-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5104-762-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5104-274-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5104-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5408-576-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5408-770-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5788-607-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5788-544-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5916-556-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5916-765-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6084-596-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6084-574-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download