2337a86a370960496090c4e8a1d6c7e7547dbfa9b0c38e681f9a76fece660258

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
Size

5.5MB
MD5

2e4b46b885f5b54c28429b68acd7f6ad
SHA1

5b5736f1bdf813865b4cb81bbfc36ef1e730312b
SHA256

2337a86a370960496090c4e8a1d6c7e7547dbfa9b0c38e681f9a76fece660258
SHA512

adb3982c1c382041496697f57cc39e75acaecae8825fd938aed7839b47387e7ba1351685f8091533a85ae29a019b7cdad73d409499793b218fa076505022f90c
SSDEEP

49152:XEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfF:DAI5pAdVJn9tbnR1VgBVmGTjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
2464	alg.exe
4372	DiagnosticsHub.StandardCollector.Service.exe
4748	fxssvc.exe
1744	elevation_service.exe
2188	elevation_service.exe
464	maintenanceservice.exe
1940	msdtc.exe
744	OSE.EXE
1000	PerceptionSimulationService.exe
2756	perfhost.exe
4748	locator.exe
3080	SensorDataService.exe
4336	snmptrap.exe
3228	spectrum.exe
960	ssh-agent.exe
5216	TieringEngineService.exe
5344	AgentService.exe
5424	vds.exe
5532	vssvc.exe
5632	wbengine.exe
5724	WmiApSrv.exe
5828	SearchIndexer.exe
5392	chrmstp.exe
5356	chrmstp.exe
1828	chrmstp.exe
4932	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exealg.exemsdtc.exe2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9cdf2dcb293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a10138b8f4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af257db8f4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610405473080722"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b31c91b7f4adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028a016b8f4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d089db7f4adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bea1f7b7f4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000236d80b7f4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bdb329b8f4adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b78a41b8f4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5f3a8b7f4adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4641bb8f4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exechrome.exe

pid	process
5008	chrome.exe
5008	chrome.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
6704	chrome.exe
6704	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

5008 chrome.exe
5008 chrome.exe
5008 chrome.exe

pid	process
648
648

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3316	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
Token: SeTakeOwnershipPrivilege	4348	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
Token: SeAuditPrivilege	4748	fxssvc.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeRestorePrivilege	5216	TieringEngineService.exe
Token: SeManageVolumePrivilege	5216	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5344	AgentService.exe
Token: SeBackupPrivilege	5532	vssvc.exe
Token: SeRestorePrivilege	5532	vssvc.exe
Token: SeAuditPrivilege	5532	vssvc.exe
Token: SeBackupPrivilege	5632	wbengine.exe
Token: SeRestorePrivilege	5632	wbengine.exe
Token: SeSecurityPrivilege	5632	wbengine.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: 33	5828	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5828	SearchIndexer.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

5008 chrome.exe
5008 chrome.exe
5008 chrome.exe
1828 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exechrome.exe

description	pid	process	target process
PID 3316 wrote to memory of 4348	3316	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
PID 3316 wrote to memory of 4348	3316	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
PID 3316 wrote to memory of 5008	3316	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe	chrome.exe
PID 3316 wrote to memory of 5008	3316	2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe	chrome.exe
PID 5008 wrote to memory of 2904	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 2904	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 3416	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 4224	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 4224	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 384	5008	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316

C:\Users\Admin\AppData\Local\Temp\2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_2e4b46b885f5b54c28429b68acd7f6ad_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2dc,0x2b0,0x2e0,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7614ab58,0x7fff7614ab68,0x7fff7614ab78
3⤵
PID:2904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1924,i,4811991909327930780,10151094217350584599,131072 /prefetch:2
3⤵
PID:3416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1924,i,4811991909327930780,10151094217350584599,131072 /prefetch:8
3⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2068 --field-trial-handle=1924,i,4811991909327930780,10151094217350584599,131072 /prefetch:8
3⤵
PID:384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1924,i,4811991909327930780,10151094217350584599,131072 /prefetch:1
3⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1924,i,4811991909327930780,10151094217350584599,131072 /prefetch:1
3⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4312 --field-trial-handle=1924,i,4811991909327930780,10151094217350584599,131072 /prefetch:1
3⤵
PID:2432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=1924,i,4811991909327930780,10151094217350584599,131072 /prefetch:8
3⤵
PID:2940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1924,i,4811991909327930780,10151094217350584599,131072 /prefetch:8
3⤵
PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4872 --field-trial-handle=1924,i,4811991909327930780,10151094217350584599,131072 /prefetch:8
3⤵
PID:5412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1924,i,4811991909327930780,10151094217350584599,131072 /prefetch:8
3⤵
PID:6084

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5392

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5356

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1828

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1924,i,4811991909327930780,10151094217350584599,131072 /prefetch:8
3⤵
PID:5896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 --field-trial-handle=1924,i,4811991909327930780,10151094217350584599,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6704

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2464

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:620

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1744

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2188

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:464

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1940

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:744

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1000

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3080

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3228

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5168

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5216

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5344

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5532

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5632

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5724

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5828

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5732

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
ede2ab7d1fd507bcc8c7bf8678fc3b73

SHA1
848e73d7c973789f4dde3c7ef434589813a35409

SHA256
7b7979e672b8ec0570622478dece581019d48ed9709765dac571e5701beeb5b3

SHA512
9961870d62894a3902342e6e7a65e03d0ec4a3fcb2c5625ac399d1502ec1e657bfe530a3d480aada8b6a66d158caaf2e05037295231bc1843e84f5f551575e9e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
22adb8a78d3dc43d0741bd4bb879a9b9

SHA1
f4f5b471fe9eef9a2e7603a87e68bc3c853fe64f

SHA256
cb274f7adf88216437d1d1bfeea78db50e8bee8398907748a7f3937e19f8ac7b

SHA512
f0c9f98aa5847c25b160e417738c8ac05c6e9e536f601611cf25b6aa81d4edf02482476834df30feb83b7fba7d7529e97a5e2c43bf934d5a641307f653341f28

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
9a8d89941fd4ebb02f52ede0c0af37d2

SHA1
4891ac0c89701331a98545b24aa66aa6cb4d4585

SHA256
744acd1bb30f40dc4a940d5ce5bf3f9f920e7887be329a93d0d49c1dc0250493

SHA512
bea18f68f85e9d4afa4df6d80c8fd7597a9b516ef3a1fd9adfd214e26e7a9d9c5db65989c3d433d975a39acc91a1134774d608ee2efb31a4eb0874ee1cb6bd16

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
97ded4cdb3114b521703eb977f5573d2

SHA1
1f5d69d8230e232c5e9d58b3f5d64a9c6ef56304

SHA256
727a20bff0d177c58fc7ef16bc9b8c333550aff65f01f982ee62e9b81e91600e

SHA512
22220b31eb2c723719f69ff97c5dd7ba1370e27548a688afad8613bb1ee7f83ce54102885c59b01f31cde7c81f81a0f850cfebb8282eb6a751d549d2f6ba0cf5

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
4b35a01d89ad46edd517207c78bc1a98

SHA1
c1f518c97c3a42d5f8dd441db99aefa2b7409a70

SHA256
14e97ab644a887d0838ff968e7c1b1d3788c9a2b72870a39d8fff0cc611895ef

SHA512
c5b2b84c74acb94e3153cd76e15fba7c0fe1c885d8b900cadfd74f0144798e23dab374d0dce0307a23210ec6475213322cfdd92a16a82abab6210d5232a66242

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
a78b23530bc56421a87ba7c5c355fffc

SHA1
890a93f2dceb54b37bfdcf5caf81d5d0cdd85c5e

SHA256
568b3e374db9b0e1a7cb1591f491dc60fa7c2b6887aab48499ea6032f4d01d88

SHA512
337a046f42a7278da0ef8ac937f92b08948a8ea29282b35f3a6fca5c0ea11fd9470bc44949df97289c7ed96451c8c40829098ee94b18183651e7ef9f1fd691a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
473b356f44354554b7ff0ed8cc689510

SHA1
d4ab94afd8a65a9182203adb4dcf9db7462c8e88

SHA256
2e9643bf121a04f073a12b0f2cb00f6247322742a0e8b9ca8a0f3fec9723aa1a

SHA512
7455d749a9c45decf3c3e2ece3abbd5e5db86cc6557cb5c7188378dd1f850dd6cce0172de1b53dbc34844a8ce6cd96bf20d28d0ab8318d2de3d23a67df85a5df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
bf0f30f5e584c3463dd3da389adde6d5

SHA1
def80cb78f87e388f8f5d787c09514107702cffb

SHA256
e6436c89c9655026e54efbe46d5d986b821f39a09dfe1e36d0213c9f424b979b

SHA512
6e663ceabf0ff8792b9d15cd155ea161fa9f8cc85a95caa3df9f21ac4499326989f85959ece72bc33efe067e0d6e035b7dcf0bff4a4d038077f5dadf8a47be7e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
c364f3210904b9cffb3a26347f177fdd

SHA1
913646009d56665eb73f37093359ca3949038f10

SHA256
3f68e7f31ffc6cb7c9246027e9e2f34423f50a92aa69f267c21d01de034f5522

SHA512
fd0a664c35a2d7d01a960e5ae2c80b476a5467660b9bf31b23b6aee80fe9fed5ae4299347f0f41e475da3e72b4c1d4f0bc0dd5b8147121b8a4954d15b0a477ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
9492082bd09f5ad3709c6a3188881bd7

SHA1
cacb9ea630c4926159aee7f5efba543f37f40322

SHA256
53045b65724c474b2e4574c6bbad446bc9deab7d8831bae123000dd7f7532ce5

SHA512
90e3ff575e491d7974159f5e3c83c174eff046788cec635fc2c07e7df9159092cf5c28b2197dbb82959a4d16a2276e10471fe7a3ead01cafe79b9ab28c245c46

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
f8b1db55aa49a03749372762f510cdcc

SHA1
60867d3a40ce001276f9408a5ff0f77d3b7a3263

SHA256
46ae5031d105a93ddce7cde4fecb560537058ef54e6d9ba0e77b487977af251a

SHA512
5f901cc59a32a47463343734b513a4a9362c7222ab7d73ab740012b2faa71d38487ce75e22ec1379a2051ec0d287e2e3aa502c43723cf93506be319a38639989

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
7a53d79a86c7fe727adcecc713955af8

SHA1
68348b224d092c49066f75a6fecab469b0c9c2d7

SHA256
d4d4a3aa14f0313f68523b111d4c1201c7a93c7ad113eb0ee54acb2afb18be84

SHA512
9fe762b9b1736f619d0afd896840c954924f4b8041ab4a064ceff311a968d20d7cd3b84eb77886cf319bd16a0e97144c21e326ba6ecabf55b44f7b288ca53c11

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
a9221087cf27fc278f24a3e06c409add

SHA1
a958636fa7a274afafd96a1264b9fd052aef997c

SHA256
b9e7936be04105e3cecf7cce816b8ddb94112f018c973db35641afbd25a90e04

SHA512
87025024f9cc976bb5981a70d4039c77fdfb1b18ee4f1d6e291d342d29be0790a76ecfcc64cd78ea935d1bdd5008b8a92dd4f9835d6221ebd22750a2b67aaba9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
a8d9f47dc561d08d2650b48e4cbff6e0

SHA1
f24b02abe892ebefcb4983fda64cd81589cc5f24

SHA256
0a8f9a952ecb5456c85d1e0d662982c8938a37322b3d619d5cfac96d77b1297f

SHA512
aaf6914f3bd8c4aee2da50175ddc8ee9d83f6cdfc988e6297f2682d75d3469cd8226e13b85219478c13a529ad7c23ac79d0393feed1415cc57e2a0a1a1159afb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
36a98300505c66bde6231f11a5c1cd80

SHA1
6c798729dcc768d5acd9bf1b76784b53748794dd

SHA256
d5dc10a0a9df1b244370b0337047641ca2cad4600835c5f6697b39d51e598d29

SHA512
a6a0fd2f44741c4c41d6bf9d436be61a45f4cb225b53d57d96e00a0cea4c8e01dc221baf8a327e0047a947116a00d81b6166491466e815a6412af1fbeec4926a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
125522ffb9357108b4c7176b81df3a76

SHA1
b3a187933bb216731ea66df04e29521aec64430a

SHA256
3e83a5a3e5c990b452121fc65acc5feeb8a0c0c1f9f93abf30573d03f2d6ca63

SHA512
ca8ad065e80ef2dd812515cdc732884dc36ae84e5d2f21ee8769a9ceea1f8ffeb2e07445ca5bd1971039acadd609521e5b4b033496122755c847bf0abd9de83c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
618361c7672572a74e49202655b02f27

SHA1
87224d357421ac273db0871d133c7c3639c568e3

SHA256
2297bc3a268db97a0d075e168e669f688d6bdda654bc526845bc51fe2e12d256

SHA512
863cad4d0c2226a942b8a45ab4a1bc64449b013f6b244a783b8608bed82e40d3fededcb3ad87fd2b3c2abb00d7bf95ff63b8e8c6f2c02d9542232661a585e042

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
a4130f5465387e4ee8e243b2f5b96dfa

SHA1
5f5b25c60e2e5b1262e8b8481f2828568d8857bc

SHA256
c363d9507bf0d135f7196582a511f95e9c2741f1a50b18f26965f096ec4dbdf3

SHA512
2507745147ef9eaf63288af26a04a40f38d3405075576c433bb3a508677d5bb2f53a3663943d6fcfd27bfef3c26390c6fd5f063f71ca658ad577f700690ef22f

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
0ed6de322837fda47ebbb32d03482a49

SHA1
4f77c5994069078cc3e26bdc209fb7cd9132f7af

SHA256
f721263fd93e7bd170dd0c8024ebf5a1d0779152d2ffc55765f86e126c788768

SHA512
1f6ff706e8aa462f15c1048d79b47b381267695ddff2355ff8d03e944d6bac9165fc5348bd64a1f8faeaae8715d4d174dea9be724534573a8b9caa784c174688

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
180fe3245a43fab501011494f26537f0

SHA1
ba73c2666ff976243614090285f82a0d5cff9d2e

SHA256
2e35906f84be62372027166e85da4da30709e324dc9053b54ff4f69790c786fb

SHA512
212b17ac3ec84b5596cf366523a8743adcb770472173c9bfedfeccc7dd316c3dd984ce0c719dea770b7494e03205559837da83b0f19fc4f622480d621b51caea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
9b6ec61355f9a489f4175155181c7fab

SHA1
8276aa585854d8b628cd7a91e1f9edfa15367932

SHA256
98b8c83a36ebb19623c74085ada9f1ac1514333d0ba98516cb647baf1ad937a0

SHA512
a2188de8e6960550b73ae3a432d9ed728240bb691f0e2482818bcbdc7706625c6876e33aff37c118bf696655a1eb33a5307d1647824d3f3d943531b0436b527c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
44d73bf4185126cd924300af8414f6ef

SHA1
dd7eed03bb919f53a88f8862dafdcc105e0caabc

SHA256
ba42024a1650e290c9137b5dcbaafc582239cd522bf0ad3ac4cf3abe693f6ecb

SHA512
1002779943157b6e135fbf8ac114338f532209827909da7c9c85bc1020dd1d851ec4a8013540e4e2b046bebafbde3e188b0b17ca5de5ce6f340a1119bb9d8f35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5794ed.TMP
Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
7761c0fb297efd8db1652c3b2be9e4eb

SHA1
2896ff2de39bf65285d345fccf60e92049d40d3d

SHA256
9f89a7a72af8f39c1be6cd1c723833aaaa8138f497d5ec6834572bdbe48feaac

SHA512
2b01186b490d6b142b3bdbc500d09805566e24b941109f7443c4a74cfc00db0d8005382e5d775664fa8194ff35785b16b15d76a4e89b1c0be75b2ccd56548221

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
a3b259c94f9d68bf80fff5ab430111c7

SHA1
29d72d22dc36763b5bcca642eeeec74cbc307142

SHA256
ec0b840b99d3f69827deb28538dfed8d52330c133a58fcf1833773ddac6692f6

SHA512
318772418bcdfc999415d3bf18559c8fc1c12137344fb8da0aa3adc1e6148b4c44c79562c2394b9855ecfda7c8bab5c118f4b3c7e1362784aec60d22d638e7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
8b612ea1d445488abcaabf9f666b460c

SHA1
67a789471c803b4b0940f962fd90383c9dda1ad7

SHA256
214e56fc82530369e9b0dc078cce4abf120fbe48c05c575cba55f33a2147cff9

SHA512
b578cf5e5730a181482ba036a624dcdd60dfbc77fd00a3d2d7c889536953d0d2867ef0090176fdc08747f66a71d8a13bff7366b9db40826b1233d88a6beb3559

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
ccddef3d0aef080a0f9bf18ad293d9bb

SHA1
d17202a1ef88725bd282f0ab9b865a3cb8eb5d6d

SHA256
9912dfc2ffe5962fbf1107b528f695774427b46679cd7371d4faf53762cacfa3

SHA512
b6f3bb5b25c346aade3b1e7f216e14b36bba4107f008341c337393ef618ec75ce8a80cd84d4d4e221d65c6f883e5963440a5ac2304af4c64ae8501b3f8d585b6

Download Submit
C:\Users\Admin\AppData\Roaming\9cdf2dcb293b476c.bin
Filesize
12KB

MD5
3b8feab677da4e5cca937dca424fcdc1

SHA1
9b56d585c258f0bc7818d43ef59e43b9b5e9cecc

SHA256
0df8f94b6dd315d7e1fc860caaeaea8017f5e9423506e4b43b0ed70b6478e312

SHA512
5a4c4d012cd374eaf0c155c7a6cf998b2e53079a237876cc476ba127ae7acd74a6a675544c86c3e7f91559c5ef68c0e415d17580d7f84877ea66187c4677d83a

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
7625aeefdfa2271f040ac00c46e3ae00

SHA1
d85d260542e3ce3f7f63840dce42da9e5ff5d390

SHA256
d29ef2f7641e1d2225377e76578ca4421e8c31e09986c92e249d83da486bb912

SHA512
87475a6b5d6333f9be4289520d9fd314dd2a4f4f1fbd8266340eda17411070e6efcff917425a3418f2ee7f14e3202e709e4ebbe00f45392091d9efd8c045c7f0

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
17f86041374c24dde34b10618bbb4b6c

SHA1
cda57a653af691e4bebd9b8690e872158c9261df

SHA256
b1390fe8a4d6078b6c30fbca7dc68a735b60db355e99177cf17de814ab33093f

SHA512
c65ceeb83c7f3fc09bef700989c2042af834218e028ee8250ce414ce2c2e232494073231109e88dcb5f74997de80e8b9095860393d4d706f4eb3637537178cb9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
10be99a67319e46aa71a6f1d9654d6c5

SHA1
6c09216ad2d6cdbe6b0cd4b85f37ac9d82482b75

SHA256
f87e7427f40cfb35b6a4372ceca24bcebaf986ce9632dfe3f0090ba8fb9c4743

SHA512
e2ed2cd6a57aceaeadc4be55e249941da3a64625ec7ba8ee74bd10263a1c7e7e7d86ce95acd3e440f4e1ac99bcf835c9442d902c8d668c447635105844a9ec3b

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
4a2d227654ea68bb084f37ae1064045f

SHA1
9636f323f88218c70b8408760b68e4576a4ed691

SHA256
6c503b35f06cd1dbb038a2ce84898bd72ba64ec4b865afd02b4c68ea210349e1

SHA512
e0921b370443f9e49f469e38b70c3c8c8edd8733653577c471c8b48527fd75f2817151ebb86de58050cadbf1a33bf82ffdaff308d4c11f5f3bcc11a2ab35f2ef

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
7304ea44859fbae638ebf2e634d81478

SHA1
1c1738d6aa57759b2de1a6311e97ab8e66a3b92d

SHA256
c65ef681f666b2c88263f5363912d22bdc09f124180c0740a02b15eefea0e673

SHA512
0d08d6f3f228f070970c648f815856a638a7285b0d23afe099166858392d6dfadc37bbb4eb3cea46c2f8dd17ae2cf7c2331f19466f5a9cb7c5d688257408cc2f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
c984a58c15df71ec66455ee11456ebfa

SHA1
f519c36a9c49f02a7f557150b4d588d8e3881100

SHA256
155422d756e13a45a31c76e86a066073ea3615407a4e4068afd7de38824369e8

SHA512
f54183f315855c5dadb4ee8c03c7d60fc95a26b9bf7a276d9db5fafc22ba0edbf5c8b29ab3ccc2a0c295c7c58deed0d590f7d778ddca3e44d4d787efbccd2116

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
7363e05ce7a3487be7ca564a75689ef9

SHA1
f33fd251b9c8650f28d3639f918939d93f8374b4

SHA256
0465a397e0983d5b8ef316f4eef36007aeaccff43cb8a079363ea29028353e3c

SHA512
7fc00e3a90856ec4b9545cfe187de253c448d2a582c5863950e7adacdfcf166e2d2031244ec61370fdf11eae61bc1e9f599587bc2b2834e4acf3ec129a395d3d

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
bd0ba8bc50016ed66653d807aa410ce3

SHA1
665ed7a059431d8e0663cb298a97a0382daee5ae

SHA256
48c12d6c9facfb925520567eb6ffb7bbc6411403f2710d6360c3f2c2da9c37bb

SHA512
ce22df5d54af4685707e2be7576717a7f7ea662c00dc0b497f74ddaa8d869f160e378d6e1eba949c83ac9a11b30f92e5c898272ee8a1ea073ed8da98c621a554

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
b0e6f291fe14cac387aad220415aa9f2

SHA1
52b5a88f8069018867702e138a6229bd676b9d01

SHA256
eef95b1b34e6f15f33f9a1a91a1beb2f76d4147c5c0c5d2cb3c2de03289f0871

SHA512
e3268457a6fb6c1c3cfae49b812e3a934892ecf52a68a7657ae7f2d1d50661f5ed8c4dc9815e298f5efe8f141db44005d344919fcec815313b19a479cc900f82

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
214ebc2a66cb09810367cc6f54a1a7ea

SHA1
3be54d7d102dd9c9351b7809a320e36495287012

SHA256
687391cfe1063b5fabbe5aa0e40a46afa3e4f22ec298b1c6465fc015630b3971

SHA512
ccbf7a04603d29968215166c14a1879f1b4a399f15c0609be34e60e5433b4ae7a6b23550f30e52fa736f8a2a69608267f83a878b5d9875c7cf54173f995ff5f2

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
85f7ad36fa583fc8f40c0321c83d0ad7

SHA1
85c93f3970931da52168331f02979c4d5caa9484

SHA256
8bc1455932225196bb96da779cb3fef389118a61a09c4ca5122aae7f5363e7ef

SHA512
31221c78893ca80e76f1baaadfca9193ca5d7de1465aa46540963744f5ee84ec0b3dbda9545cb315d651ee736287a4d15242c530181f539b1704421f02e7eb09

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
16a410d6326458cc1b36cd5f111c3980

SHA1
8dd2bc457e189315e5503814fd4331bc312ee54c

SHA256
913f6a82fd4b37bef737fecfcb95affb1babada7009cc5d451c5ed21a45989c9

SHA512
2a550d5c369e6c46edecfdf427f35c713643bfc6323f51f7b666ad4fcf6c0180672395722e1f5b060bc3a85321479c8d6ed38d8663fce0db9c71a45e9e367365

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
54bb1155fd8673ab77468f5c9fc91c73

SHA1
208e93e1143da3711474485db0f128a5a12a276e

SHA256
b03a81b81f9adfc0688e64b331c416f6d4e94441a48a0dc0b0fa0bac9cad7c73

SHA512
997992c96d94188d66cd4a06da3c6a567067f9e37b4bd643f100b6ad4910a1e40522d3b83dbb7ee04f2ee14bb76895efa696f81b3ebdb0e5caeed14f527ba186

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
8f5dca0acf6bb2238e0cc4e207731122

SHA1
7c888a31fa01dc44830f40d4650822613c8e964e

SHA256
983e977ed71347bdf8eacacad3f1c9b66c38945142a6fb8ffcd41090b9bd46de

SHA512
916d2b0bd4e8ed89d89cd7eeeebb6b663a065292d051ae11bb496619f1748683202fdbfb68e24c3bbbe600f007bd87a762752e4f358053b9df58d90d8c543978

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
79d98ae8764fa3fbb6e0e0fad380029c

SHA1
b4dcb04fa7ce00887349ceba88e96d47fe0534c6

SHA256
00bd22b207c9c34f28cb6422ff1146745e387e693a722d3a6b282335e335df2d

SHA512
c9b4a6b77c97e51022c27d0393bffc80323aec68878ab17a074ecfd59760683b3037bb1e99cda7982e4b53b27f57171cfda5e5026c0e21210dda6139b3d17b27

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
381b5d00d6193912f23060c94f761311

SHA1
757b2e1c80b30699785b49f5c62da54bfe4bc098

SHA256
ba540e37de15eae7f15012009f00e82d3bb0cf9d79c7f1c309f8cc0099d4b0c3

SHA512
2e38259401d4ed75bf531e8f81788ae557e861a660f8894cedd8ad7696071ab0e390d85fbabd9781647651d3a0232cf0552040027202ff3f91a26d21e3496caf

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
934cfe4eed0928c87a95d231f0751fb7

SHA1
7908a8d79a15303c26103a8e90e000d6fb3c8d5f

SHA256
afe09ec8af442a3b4e12dc4fe423366ab9371c34a10c41a60b4717ec8260f5c9

SHA512
9e8fe09b7a6f8c22c8bc3ef42a48d6728e80ce42fe65b8695c9d0294ff7db72df57159608bac1d97b772ae05a1d28fea1b328b789a7e5986f3984722b0899653

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
04d79f71d11d7785cd20183c79a20799

SHA1
e0298a12b1ac72cbba122b8a76558d97e2b08afc

SHA256
69119d8f40f653c95cf136e22db4781e906985b3ba4068f6b0b4b81d7d98f713

SHA512
8c0190b732e9a6909b8380d529b0cc3b6039882607e801f6cc5aa95f653a865b13f28e8cf4a5ce72a6f7a393b36f6c8c56007c0788e846ad82a8b864f71d01ed

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
d88186d0f409940d6f8f3468fcdc9849

SHA1
52c0d4164a2fe894a38f023823db48707cc02d02

SHA256
d71b84dff45b46e64dd110ca91314a300c6f7b92c6f70df859714389ecaf21b1

SHA512
b8f8a4d75288f00de7daf15f0e0789f139ef7caf02e5c8d8e94f28dd076d1e93f0c5770a215b8c394b3641a42bb0d1a067b7732c1aa3e27144cbe0bb6c38e5fb

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
e24edb2560971291d54b3c76a009e42b

SHA1
3073ad119542fa35637a01448197678438906f60

SHA256
898c3f1733308fabacb345ce482ef53f0f3b685b790eb54b16b4cad65e90b5e0

SHA512
1e738c5e4970d70d7870ff4bce2924af906027d732ea5c633a753e586941088040cc41b4cbe92a8c4aae6bfa95d9154b9aed647322302986ca20ad338ac99011

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
f7b906af6dbfccc723c959f9247dcf61

SHA1
92a0df08b7d17df37b04740cc2b35b7bce75581f

SHA256
f892ab082cc9e16fbd4ac8a93aded25d43a53268bfac95d46ab5c76284b559c3

SHA512
eea47113356c10c22743f4f8989b7d3938ccf88f51f0f1ee3edc711fdb20bdc6d227aa63aa3befb7ef58887dd40250f12316e18295e3a61b2e6973dae52dfaed

Download Submit
\??\pipe\crashpad_5008_WKURMZFXVUIYOQUT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/464-93-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/464-105-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/744-145-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/960-344-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1000-702-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1000-159-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1744-148-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1744-68-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1744-76-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1744-74-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1828-576-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1828-549-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1940-122-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1940-608-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2188-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2188-89-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2188-113-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2188-553-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2464-30-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2464-197-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2464-39-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2464-31-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2756-177-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3080-654-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3080-198-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3228-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3316-21-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3316-26-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3316-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3316-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3316-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4336-199-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4336-707-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4348-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4348-16-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4348-144-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4348-10-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4372-53-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4372-52-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4372-44-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4748-64-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4748-81-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4748-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4748-79-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4748-58-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4748-178-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4932-715-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4932-564-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5216-345-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5344-251-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5356-714-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5356-522-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5392-502-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5392-583-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5424-346-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5532-712-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5532-347-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5632-348-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5724-349-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5828-713-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5828-350-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download