faed20053158276728955d5c4c483367f0f80fade3dad38fe45fad8e902a054a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
Size

5.5MB
MD5

02da86c7ee685b22cc3c4d53bb9713b9
SHA1

4af23ae22ca448498958571d4a308eccdb113c08
SHA256

faed20053158276728955d5c4c483367f0f80fade3dad38fe45fad8e902a054a
SHA512

25a10f327c320999185e438e0ccf92ff850cff7a191a66f49ad97e7afc2de28dea5d89f1a32a07de682edc9d73f885ebba29209dd3984f004b7bfba775e20d22
SSDEEP

49152:rEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfL:3AI5pAdVJn9tbnR1VgBVm1/iyB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEchrmstp.exechrmstp.exechrmstp.exechrmstp.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1072	alg.exe
3024	elevation_service.exe
816	elevation_service.exe
4604	maintenanceservice.exe
4420	OSE.EXE
2232	chrmstp.exe
3212	chrmstp.exe
952	chrmstp.exe
3868	chrmstp.exe
1816	DiagnosticsHub.StandardCollector.Service.exe
5932	fxssvc.exe
5876	msdtc.exe
5148	PerceptionSimulationService.exe
3768	perfhost.exe
3220	locator.exe
6016	SensorDataService.exe
1560	snmptrap.exe
5348	spectrum.exe
5440	ssh-agent.exe
1644	TieringEngineService.exe
5700	AgentService.exe
5504	vds.exe
2740	vssvc.exe
3668	wbengine.exe
2900	WmiApSrv.exe
5832	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exealg.exe2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f1993dc6bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b7dce07f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043817107f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e722007f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002afb2907f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7851407f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5c02e07f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007abe4d07f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d6e5e07f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007baa5907f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

chrome.exe2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exechrome.exe

pid	process
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4808	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
4576	chrome.exe
4576	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4800 chrome.exe
4800 chrome.exe
4800 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exechrome.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4556	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeDebugPrivilege	1072	alg.exe
Token: SeDebugPrivilege	1072	alg.exe
Token: SeDebugPrivilege	1072	alg.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4800 chrome.exe
4800 chrome.exe
4800 chrome.exe
952 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exechrome.exe

description	pid	process	target process
PID 4556 wrote to memory of 4808	4556	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
PID 4556 wrote to memory of 4808	4556	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
PID 4556 wrote to memory of 4800	4556	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe	chrome.exe
PID 4556 wrote to memory of 4800	4556	2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe	chrome.exe
PID 4800 wrote to memory of 2020	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 2020	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 3016	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1720	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1720	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 1680	4800	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556

C:\Users\Admin\AppData\Local\Temp\2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_02da86c7ee685b22cc3c4d53bb9713b9_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x2f0,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8cc8fab58,0x7ff8cc8fab68,0x7ff8cc8fab78
3⤵
PID:2020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1940,i,2504103606244101517,1504563340494896225,131072 /prefetch:2
3⤵
PID:3016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1940,i,2504103606244101517,1504563340494896225,131072 /prefetch:8
3⤵
PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1940,i,2504103606244101517,1504563340494896225,131072 /prefetch:8
3⤵
PID:1680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1940,i,2504103606244101517,1504563340494896225,131072 /prefetch:1
3⤵
PID:2664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1940,i,2504103606244101517,1504563340494896225,131072 /prefetch:1
3⤵
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4252 --field-trial-handle=1940,i,2504103606244101517,1504563340494896225,131072 /prefetch:1
3⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1940,i,2504103606244101517,1504563340494896225,131072 /prefetch:8
3⤵
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1940,i,2504103606244101517,1504563340494896225,131072 /prefetch:8
3⤵
PID:1384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=1940,i,2504103606244101517,1504563340494896225,131072 /prefetch:8
3⤵
PID:1096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1940,i,2504103606244101517,1504563340494896225,131072 /prefetch:8
3⤵
PID:2400

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:2232

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:3212

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:952

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:3868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1940,i,2504103606244101517,1504563340494896225,131072 /prefetch:8
3⤵
PID:3632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4192 --field-trial-handle=1940,i,2504103606244101517,1504563340494896225,131072 /prefetch:8
3⤵
PID:5908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1940,i,2504103606244101517,1504563340494896225,131072 /prefetch:8
3⤵
PID:5916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1940,i,2504103606244101517,1504563340494896225,131072 /prefetch:8
3⤵
PID:6008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1940,i,2504103606244101517,1504563340494896225,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4576

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:816

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4604

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5980

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5932

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5876

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5148

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3220

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6016

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1560

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5348

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2416

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1644

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:5700

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5832

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:464

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
a00e7e23a6e2502bd4a7965932e822c6

SHA1
5f6cf45ec22feafcbb11dfddd438c1ee0fd4fe99

SHA256
d5b5556dd932d6755413143f7380a0a3715faf67687f95ba48bfcff5fc1c67af

SHA512
e6baae10d92a71ecbcb36997c0fe058fd0d24960c3a40b8ef0995352f5659724ccd4970a1889a1d7c90b839fc53d91f15df200b9e25e7d50ec45ed2496ad0437

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
27f8a559f372051300a24d5b3e2563d0

SHA1
5d589fe9948708791cb220abb00522c2bd513a2b

SHA256
88b39d69de41d7c8ad8ab1e5c035890aa0a81f21812998ef1daa1280bd0cbcda

SHA512
4d3c5dba446bcd427441d2e986ac8429d834f286d68c1d619af863da73b12036c76de49e12bfe8cb33c4169a83f0659035cb4f4f1bff21d9605ae82810930317

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
82890337445a9cdc48708daef3d1cb13

SHA1
598eb4021243612be14c6856d9a0087cac87c7d1

SHA256
554ad6e0e372cbaeadf5b1d9f961a4907a6e19dfa5e5a4500bda7e3dfcc90f89

SHA512
5730ee3066d0610d8f5ef7fa1c52cb38af88451fb71a02b88a148691423ffd4c0c4951c61cb9e93422db3fd6fdf07079f5ce56b3bc9a8a6fd47cdf8c30bf8e8c

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
9a9eaf58f8acad84db4d3cc9b69f4342

SHA1
fb3e98e447f0e67521faf5e4e6c5a9539625cb64

SHA256
b4aed354565a71e3dff0bcab96f2b24c2f2aec9f47091c5bbefc889d9eecd8bb

SHA512
ee45997c790f33aba353f3eb045c2575498506aff41a621b081ad2a3d3c4d062011d6c7e8eb51b3e6b342577fd399813543e682ac03bcd02eff193af1a8393b4

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
5659da398402cce0a780df5930da0612

SHA1
dc6728984914bc8d329798b75b51d982494a588a

SHA256
639b668530c4542846cf01b830598baa63dcd4325b1392527b6e9a53811810ac

SHA512
d42490e20cb0b6cf432123af0ddec84822e496d9e4a9f56a2944cee063e0fba9ad4911937a210162be9b1bb7d9507be33ce4dc6baef2c3c5f8cc05f1104c4882

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
a2a8d25318855830a90f2b0dcfa582a7

SHA1
894a8cd4fcc46c6e1b7692b037eea4d5c699b1ab

SHA256
0f79ef2955c7598e4bccf140612f6c38e43439d8a8de49edf7ad2872b39f3d19

SHA512
e2c9032030aed1b1e99c98f90ace6387b97de2cb215e95906202d6dd77aacf86689d841082e264d0ca9a5b6c5649979ec9a462c5ed31425849d9ba8dd40b2d3c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
ee869a6d0b0662ad82b0deb3f4200d2e

SHA1
92478e405073f6341cef33356324071a099280f3

SHA256
b2c4030bc034980bb768c9fc3e451dc71c4150b7236ecc687c1cfa890b29ce9c

SHA512
5b36f7dc5a99ad1f21ceb1d2125b86c93635c18d6df2d4bc39faed85ea4974b14621f70edcd51e93495a3864dad167da2938e7f606a9915c23506bc334bba681

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
922264663564e1bd2bfbb38ee3200e7b

SHA1
8d85a188afcf99d307c451f9fa20e0cd92668797

SHA256
4397b95ab0f9b4ffd779aa76a1d9bb9cf6963afbf37ae25acfafcda451a06620

SHA512
10f048bf52dde7cad5241e4d3cb65cf278506d63604bb076cb592b8a50f4831de78f9b8d1c338a9d46bd53f048dc678b935eae5527c8e2f08d0ad04a7c419afa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
d074bb390997ce0ff763271ab16e7493

SHA1
ab144cf87c0e2c732efc6ba82522d89fa72799ee

SHA256
38551779c0efa84e92d2f2eb332a60b3be4c845cd091a9ec4a1c9fac33aa8e3d

SHA512
ddf23cb5b805db361a09f4b968b0b3a6723e004f33289bed798aa48d43eff6ccf2fcf148484cf7b2e147716d21732101f6a37726574ac38df035d76de4057807

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
cf36915f153caffc8b55971d1f75ffdc

SHA1
4307ecc016fa86068b67b4167cd6a8b48af274d0

SHA256
b6392cf1f597caacc38495d01b1e2fd0b12f3df578745e8e80aafab8ad526f09

SHA512
da70d54d31195ed806b21fa8e195cf54e0290e9ec00d989dbd68fa947c684b121d7fc40d3aa6d87e6c67e9da86fc005924e43daabd00fcbaf0c2048e1ea274cf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
e152385ca7e310ffc8e791ebac9c9864

SHA1
7e516883b99eaef81ef45b610a72d7b6ff3618a6

SHA256
7be497149a6617e98ea2cd6d21f75b1c524c25b5d33a81a148d41ab56cfcf910

SHA512
7550a93c86f4d014bd2543fc2738fb5d0decd5feb0fe47565c4e117ef593393e35dc8e4e66676f612b6ce9a9c7267f69b3d6c288b32268b1d0ab652fe695de6e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
5b7be86cb520397612402ecc04a8dd3b

SHA1
02b698ecc16f955ca78817e8f84274b8db8804f1

SHA256
bd3befc6d634caeb9ad795fb6f62074075affcaa3f968bcfbf560934188a2280

SHA512
ca25040c3d97c20fd52075d5a6c32ff4603dd38fcee7ed9cf565fffb89ce99ce9b72311c87ee143f7d42966dd7d82d294d6030a806bb2cc98005055e37f98119

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
9d4bc00fd611b6d23b705a35de40ef46

SHA1
b36d20305b34265dc544294006ff04217e417caa

SHA256
bbbd78a1d252601d8d46ac3447c3faaa16823e3e0bd82e6b67bbf4ec974d83ea

SHA512
33d3c184d3ac36f63bf44d628dcd4204ba867a383c05e7947ad4b060509e37dbe5ce85875c0be7eaf935c85c9ed0cbc9755ae809c98bbd8000e6a890bee7fc52

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
ba11b4bc4c09f4ce84ebe7924ef3e20e

SHA1
acd3f654db42012a1f6f421ae02ed9084b3cbf2d

SHA256
bf9e6f8f97d678f9ae6d202cac7d56de29367738f1296106a28a728cc003f58a

SHA512
33f91a92640c983907f78545425b790f9fd9134b60c54a249755904662bd4c8cf10a8b9b9f4861029b59f150428055ff9f310b361a52af188ec9d36604bc39a2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
8563fe7dfcf222e5ebe23113e8e1f1e9

SHA1
d55f76cfa22ab1e289a7cfa104f4ede291e9eb06

SHA256
2c64c792131389d73514abe49a84af9914d179b73f9a44a3d6beecf728b9208b

SHA512
e1262e1161eb6022e2c4e64e3a6e91e25816ed3d9b3df8940993fdaf70575912c9e9e54031edb50d910c43a9a76f3d5a7a936cbb5f0809ac90c99ef2c9d9c1ed

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
0433f084818c4724ecc9f4f33ce4c640

SHA1
78ab1cb6a364130578b5ae887ac0c07b628eb94d

SHA256
966196b4fcc9e435a3d1044970c75462586676044c798ece636dac0db38fe888

SHA512
5458a9ed9ee347aa51035f5c3c42bd9ddd9c2c141f81d625d6cf332ea5031257911868bee58e2152815b3b0d163c1aa4c5d579cfcceb165ecd1b1ce79be80c70

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
3f7678377e32eeafeaa200b258757bc7

SHA1
944abe19eefb593216cdf6cfebe56fe5164f470d

SHA256
6c7ad9fdcc3a46b80883a4e8d4e6e41a84be54b1dc6794713c7d11a3d477548b

SHA512
924fe9c6bb00b6f45dbfff9b8cebeab022e83f8ee7f5bdf7ec75b862d482a04748b373dcc3a1bb050c6e35259854de0ed29fbbcb00facd832959079ae9a871df

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\afb26f93-8b16-44a7-b34f-fc07953f3b23.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
b3c7ba07de84cf60cd49283fdf126268

SHA1
6dc331315a66930e55de91c6eb00b84628e8209c

SHA256
63b21b7ffae571754072110788042bd1930f026a8cc47b64b602cdae88e14b1b

SHA512
4a32eecece798d008586878559c79393c338956751fea010857d6ba46a114fc1d959f8809edb8d269043986e02618424601feaf79ac8c9c05356c4276330a56a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
772424160a740ab46f10d75ee3f72e87

SHA1
ce1d08ca4145f6a14ce3727642af5a997f73d1e5

SHA256
00ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84

SHA512
920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
62875439bca393796a82e99cd8c30353

SHA1
408891165a0a62c923f564859336283ebf2baf3f

SHA256
df6b91c62f9ca933fed0c5900431b2381cfa374dcf7f2bcd1bf58c7e373938bb

SHA512
1faa42111faf97421960c342fcc5c23038c45745f1440daf441dcefad6e2a4696db78e6a15edb959f2955578b57a97cc2081e56adc5f1bf9ab117a883c7316e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
f01d186253105dd313df13bac7b4052a

SHA1
2e52054468fc263ec154219559069852be9a55ac

SHA256
3ec37bf3094f30f634cd33a5ac1b45957b46b3d82109aa518ea963e3315a4f81

SHA512
5a8ec9155e25f0c7d27941ddbc3151a18156f7aaa0928aa3d4b1f6cc20036748cf544177abd22c4b392045fa40c30bd4db13690fc663966a8cf8c2c776d76d3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
feb51d2f7d34fee5175ecdd38eac2624

SHA1
e964955b89f58aa4d0817f75eef1a02ed6ba4dd6

SHA256
43fbe8115cbbeeec06b0be32b5d6b45cd1c71f82aa3ab587f197c50ecf0c5b59

SHA512
0c05a8a875a70b6f2a80eb284012f04256f003c5b4c94178be7a1522ac3331fbf772ec4daf2536fee3a9149b0ddf1c652611b48eb4a9710825e03482b3ea55ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576d60.TMP
Filesize
2KB

MD5
62ef0b2d931dee49ed513961ece66048

SHA1
75ab8dd2d029abdc0701a541bf3076082b6e0c26

SHA256
2363d110b62787968a21ae43497d60d50ad3e2a713303aa36834d810f996344a

SHA512
ab8379f396349faf8b51cd6ef4cb31c2d16da749b9902654227175423872fa6d81447d28926892602644a35b30f8bcb9412ee90b0eea93108cf6eb1b8dfbea94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
05dc265191dbb120aa70b5c60e38cb9b

SHA1
ac8d74e85a153f20d0b0a41b21c2c6bd4e81e1ca

SHA256
7803f242b23f05c67c41a645ab452956b7b37eb7b2e4c2c16049818de8417b10

SHA512
abb38abe611ee4d2bb5a64864cd3f17dcbf55d96d48d8fae8bdded88752494cab2ef4ae880d951acef3de018a2856fc32c55a448d095d6bb929b27d7b4840d8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
131KB

MD5
20c78ff679147fa0f1b4002e806b5072

SHA1
1c9f4f223c9929b0d3cf08328fc06cb1872c0f79

SHA256
07f368e736dcabebd2521430f25d50b3d20892b38e8feeaad0c94b67e6f9ebd6

SHA512
ce4372d4140a09bb833f85dbda90d5a773333eb415f9f676cd0fd035f3cbaa57c4958248b735fb9a23f8c5ada531388a86100205d721cc3ae60dab53e39d8e07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
dee093caeb9a3f5284b49a246e07b2b3

SHA1
d912fd10ff7e8017a1b5b125cac7e1a8ca4d642b

SHA256
29199e087495d0c1ec8c65b3752900fd235c65fbe050a11a3ed7350cf91d8ee2

SHA512
da424818c9b06277ca7904a19d5e270efc00cbf08b6c2c85f5d9dac4c237484e4fdf5bb626fde89b4adba54706a58358bfd0a3840e5fcf33e09f13d86f857817

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
283KB

MD5
ee9601be14dfd8228b7d1963e70d86ce

SHA1
35812d2d6c1e2b1acd57b42e9296aa9139665e75

SHA256
ad8b766b8c0ff8735af5521990d228966a196428e9b26cdc6f230908b57baa49

SHA512
6f414d0ba83b072b4c78aebced5b8030ab7f5a9c93fbe2bdfc7079fc3b4b551e7217b8deb42e6fb860c4a7cd0e60f0fd326c7433b7ab0b779d4b0dc5ac08038c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
b49e5695a6b80248fb5da5ac61eaac90

SHA1
dcff582d15f3d31760f77c393011a85815b0b79f

SHA256
1a1ff746ff364c35e612e4d2ee6fb12fdab0a014278f3e9f25fefd4bd84b67ed

SHA512
9d367892dcc289b84b9595472f7f5af4ee2f8eaf9250f022b565b67a05b63462b9413e027210eee8041dadf8310ac11a725d3a008d67370bcaab203ee22626d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
5802f68aad3c4acd8f7a31c5c67addee

SHA1
f614d7fe987297fc064cc8fe4c0a4602e245a950

SHA256
72ce180d033447bae97e927f9660707a87812f3b7599b54c6554bc6149c0ea50

SHA512
c9ea45d2d4edc95aa326e74d2ff0076c95856942c1378caa7a943b00345b064e751cdce98f3ef7618ec4173eab52542517fad498d8659c3a6f1b0fc5be9e8995

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e2bf.TMP
Filesize
88KB

MD5
8cc0c68f9f494968a58ccfd2effb22e7

SHA1
82257a90edb27020ebb6df22eb10e39e747d45e6

SHA256
97f48866dfd75fcd8277aac81f43cf0c913e8650747b434faa375350d17c31ba

SHA512
c13ad701d627f5fe6a8ef57c5baa0ed31f8f1c31e98829d5cd3afc26522958f11fedd35c2c178d7f0cf6699fa87ecea590b1df776d0795241bce15a1cd80a89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
7f11a289a9d66e120577a4b6972a05ec

SHA1
5b917f2ee9145a15cdc6979b44790ef6709c6f6b

SHA256
37939cb7d7780bd89c5d97d1e209ef0a7feda8d5b577f08bf1386c27caed8bd7

SHA512
03e20aac4958c91c4c8adf232a3e7fb215cc5bb93aeda46f03f1ece2d61263f75a2be62276988c20065f9852c9cef563dffbb0f87244660ac77012007d878956

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
4d2e942a35215d708c9e46d1171b5f1a

SHA1
5a39e748fba7b9f88b80fe153c1f4dcc3fa6f1f5

SHA256
4295ad0e229b7eb6f74e8cecee6a3d07f38d0ebbde7d3313e51c3ffc9bf73085

SHA512
9fdd7b752cf85b40c9ab7007f65fc216c3324ab1f39129d04f775971fbdff9cce5e89f1457a23e4ffcebc78bd93aa40f624db74a776efb06f7931ff005a39fb2

Download Submit
C:\Users\Admin\AppData\Roaming\f1993dc6bb5459c0.bin
Filesize
12KB

MD5
f3715a6804075afdc1fb278c239894b4

SHA1
28d37cbe04b697be8fabc6217c98f28bdb99a720

SHA256
ced427c470d961a385be02ef88efbcf26fda34897645ac9a17cb90b2b11ea807

SHA512
bb3712b4bda7a71a128da708d42d557f9d41f8d9b3af3575437081933e2eb97f2a464dfed2aec398332b18c44cd56491faaa0fc87fbc0a6b000601973bb9be69

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
3bbc30524a653cbece9335dccfe8733a

SHA1
f38aaf81787a2bdc3428b392ec3f705559036a21

SHA256
33834059a7d1cc53a5f6a84129ca4e3716c281b373ece535dad26e8ee0ba067e

SHA512
a0da23f9b2cbb1f926e1e7ee91d2986daa4ef24bc1588b7db4ae6664a7d6dc3617c3fddce7fa3e38366aa63e19346d2e02dab4d6a637dcd21aa89ce21259cd34

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
05de7165d349880d1b044871c19469ca

SHA1
7f01ae14d438f158584dd6893a135c8d4f6d24cc

SHA256
3157cf1381d5a060502df046e0bc6b7672db3daa0a32fed3c0b40eb6a8fc99f2

SHA512
41647a1c41570ae15ff130c6b6a704448db021a32de6627f16d5f96f282559f2f82766f052323c24974a01f0df523b21b871026f6ffb9ca3a8bc75540e82bd5e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
d92e2a88cb099c60c959384a85e7d608

SHA1
144ff737dc0a40003e6416bfcd64989ff1e498b9

SHA256
07bd28663879f8304408b7cc86b600148cc2574c9485a97aba1605a255e62ae1

SHA512
6a03a7918508203e25506f749593f762829954a513fc85a75609745430343716b0f9f33a92054c3946cd0028b75eb1a71328c89c28e238b20b69989934ce74d1

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
08b6efb5fcbe59645678986231532ea8

SHA1
e53e7db5b8d1b8b7a35ba445555f1d009e378ed7

SHA256
11104b904cde50748253dad2a245d65a645136ff810ce037fdcb3c1482bffa54

SHA512
dbb082231705ecc038ed31402f070a686c0d210bbf91894befe2f062358381df704e286be8a95bd93db85ca888b2c297a16a62dc33c265fdabd5f94c545604f6

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
b3dd6906f78ac7ecc2f165d61c06726e

SHA1
8e42e06cd7296e856d8beeccd756a145e7f4f3d8

SHA256
05d6048ae5f71fe5939618a5c5b6a740fadafee2d1e24fa3409b1a94ebea394d

SHA512
66c64ae0ae3554613614449995d12cd669856c65eb382855ec2a8bc9c7a9657f9be01509effd8e2afe43ff339c34093cb93eb8103d3d2d0c49cb800d4b6ed8df

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
3fcdb718a46d6b03656f7406f56932f9

SHA1
60b19eda262032ebc0a02676a460b1840a871836

SHA256
2d7b8cb8dc92c96fd1bf1a81140011c61771911f4730ba858f3b4d47380c6012

SHA512
173a7dcc54fda0cce5543d867fedcefc218e9b9d83a77b3f1fcc391d38970bd862c920676ae8f8179d5a8ff7cf58aba5e2007f704184ee2dc35703e993d7d080

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
5c980dd3ee426b9e7659d13cb2436759

SHA1
cd7d3b802f4931202e5448013e9d0206761b6ce1

SHA256
00b25b82ce08fc06db37f17d545d00708575b9a557d994ce78aa10b6d26b19ad

SHA512
88191c981956b9fbd694e959768f09c6d6fda5b52efe3b8bfa0924e9dca624ff310961d6c9aa31150daed57c533be01bbf73c96beb2bb4d026b6756550ed1551

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
e89f2153cdf93b2e07836d6746c74c94

SHA1
be176944567fa6b4ca17b71465502aa17cf7255a

SHA256
c5097cde0b791bb63134d9bcdb6c5cdc5af1986d1797f63df006e52313681226

SHA512
ca0ced990ba07b1210e2d5fa5835e9f4ef925c6d60f8d30d336f7d394597f413ff3a97bf17d44b0ca42e1b0871ec7a658a4c9f0a81af1b21ab2c6f6e85e845c6

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
b259433ef97154f4c1d700300ccf8eb9

SHA1
c8cd05e70a04537a856701b5dcb6572148580e29

SHA256
5457bbc3114c6c92ec9992ec5a7ae4a954334f6f9431c4b7702a3acf5503a239

SHA512
3f3c56a31cfa0d0078aaea10c21b3acb84f9ce3cc21ae1a57eaed0832ca3181f72726784afa72cf4a74d754f4f8e9008942a3a004d669df053025ea3ecd3cc7e

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
fc6e389daa72f37c9e9888c34a80693b

SHA1
9eb63739d9d260998c6e414a3ec2806053db8ce6

SHA256
c373b269afdb4e51f76fb744bfc2051fe5bece9f548df9705f1062e8f1893a68

SHA512
b481da569e2452763469cf527932253563a73441e313ad7128a0ea5ff0c993965c10ac4457e89c4cf8c4d9e4c75845c6a1f6d6ef92503f451d441ba13c5f0a29

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
d4660502b0624ca7058abc166df25cd3

SHA1
2f3acb8c0aea93c386be7ee8f20fea821029af8d

SHA256
2708bb39b6e2f2c5324f1681433464f64716dab40bd745c4fa65669a583144a6

SHA512
41cad0845b894216383836fed321a2439b02533cad726a031c5ee889881cc3bbb23e5068836af39fd961a0e5a53eeb7590f0045caec855057e59550db67d07be

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
000760cd536995ab146652550fdf96ee

SHA1
9a255103f7877df2d7dfc4a21f73068a29bbbcda

SHA256
ae69fba83077b89eb7d3698b29663ea62571bf4c08c8620914273847751eb635

SHA512
13fd290a1193bcd0657d5e745a25d3e926224537c7fcae517f3aa875a61d3c4d94cda30f4968654e1ec60033de01502bcb00567abb025cc6f1e13b2bcd82d387

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
c05e4a0bd27b9fba515d6f1c7d80274c

SHA1
12d29719a2994d6fad1889487cdf1added140fcd

SHA256
b75cd2468dbdb14bd9ab57eae44c56de0962a958bd1eb5c10806b84bfecdaf08

SHA512
cba1535d92513af0dc05871143afe4d7d133e2f62dffc3c2a22d7486dbacd7df595ea7b35c17c61f13091bde4a23b9ba436c025552c111a43513c41aae087a3b

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
02ac99ac85c751acb53bd01e31c8e4ea

SHA1
33cba3c521879c4eeada208c11ecce1c5958da1b

SHA256
c627c6691b38a9582c58bbef32090889cf26abfd838033e5ead75b40e72c8969

SHA512
a6ddf5ee091a484bc25a88bf30180dcb85664cb4f9a8b79340af9cd082747db4f0a8d1da684e2f622398bebc087759c2def39e15f8862fc26bb4a6be0eb7a9f5

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
e200d989ac3a6a58a69213627e997652

SHA1
7b85a224e507f9599feed861da94d85157d3a6d4

SHA256
870a08782c58134b735b7378673307527e8bda2299217e14a38c2d7ab72eca96

SHA512
ae40a35dd9e2400b6745e5cecb969c06acdb947ecfaa95b01957fd7c90d75b1ca609fc57e43978ef8e48aa795c111ab84386d09678e3294edd4a9bf28ac36dda

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
a1169e414ec8f12bd2f0cf2bddced47b

SHA1
76b969ad2a0f26a8081fb173e8461fdc0ef63612

SHA256
fc668dabbdfdc83dc0a191745309ca5b2aee8ad5c60f772a8f778ed76c6a19bc

SHA512
450cc445efa60a44e5f8e2f6daf2097302930a8cae5f6d59b0aadbcdcddae8ea3d9a7a5a06bb2e6ceb87ce3a0eb7273d1a44a18e3d819b0ecd99e0ac08383a5a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
9e87e7a12d93ba853ff2a0821794d146

SHA1
ba4eb2a670fb2e588b9c88b65dcc95d6b30a8e87

SHA256
2d853aac60853382c7ba3e29311873c7fa96e687a0c4cf7cc53869d4853f9c0f

SHA512
9bc3329b65d1b95e2372a0082c7b17f509c1bd5eba2eb3a43c28b0eea0ff33bad03d5558d76006e9aeb01a6d515268494696485b8b17a93ddcf3e33d7995f0e1

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
998df086dcb1aef009b074972abd2562

SHA1
71f16e67cda4cf9d09cb99673b5a2c5e6bc67c99

SHA256
212a425853e7ea4fde8c49fec80bfaab4c0b51c1ad6fa8d630174bc0674fc900

SHA512
b68d31ed6a53838287abb4f1c361946ecada1b5c40d5058904514fea3243696692ec74f023ea86652d4c30bb5931b7c9d3e4adf23cee0bdbf5e671fa4834c737

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
257036a0fb3d2768f2801e5d32b9ce30

SHA1
0634d123cc54fe889f179f59136e47357ff7f7d3

SHA256
fe6257986f35787b1ef9628e36a811d3484fff46899b61381086da82e363c462

SHA512
381a451ab3b3c97eb3546554811f0784e5341a7f668b9ceb41dc077d34ebd26fbb29b2e0ab21b2a52b8637b3998943c14ce60380b8525378d37ccdceb0f0e5a1

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
5ea62436e2f63224da4dd18f3dc2dafd

SHA1
ea3485b3d16dced916d05a9910ee515965e62fea

SHA256
2a80ce80d2e9906dc0e95d53b4c10be73f463c5407d9ac4a8bd1c51c473da4c8

SHA512
f4561ac957d37961296cc2eb102abff9c3c36885fad5939fe2b628eca0dbe49f0d5a8e71e16a160726860ecdb3faf45e733032e40e000e6e105b74c76d284010

Download Submit
\??\pipe\crashpad_4800_MCNELGPMJJLJTBVG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/816-63-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/816-398-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/816-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/816-55-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/952-359-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/952-325-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1072-349-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1072-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1072-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1072-22-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1560-552-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1560-746-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1644-587-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1644-787-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1816-474-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1816-586-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2232-303-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/2232-301-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2232-370-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2740-625-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2740-791-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2900-793-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2900-649-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3024-214-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3024-217-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3024-42-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3024-50-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3024-48-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3212-411-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3212-321-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3220-648-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3220-529-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3668-645-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3668-792-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3768-526-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3768-636-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3868-350-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3868-412-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4420-85-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4420-410-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4420-79-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4420-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4556-40-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4556-33-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4556-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4556-6-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4556-0-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4604-88-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4604-67-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4604-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4604-73-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4604-90-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4808-29-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4808-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4808-347-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5148-512-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5148-624-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5348-782-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5348-563-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5440-575-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5440-783-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5504-613-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5504-790-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5700-610-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5700-606-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5832-670-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5832-794-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5876-612-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5876-500-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5932-485-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5932-498-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/6016-548-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/6016-786-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/6016-669-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download