f43ed4f02d7e30ee2de9e41d3b6b13e3b1be2dfac1a5d58f0dd89ca12c170a39

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
Size

5.5MB
MD5

ea2c8a98c166d9c59846cf22789f7248
SHA1

4ee109bc0ffe5cb64a5d7741464dc81763c16409
SHA256

f43ed4f02d7e30ee2de9e41d3b6b13e3b1be2dfac1a5d58f0dd89ca12c170a39
SHA512

ecc5757b501765357f73f225b32d644cf1a8390615174e2e82c9f5c00654fbced4e2db2adfb66b2307d0d216d57e2f5e1e3e940aa6be3e001e356401cc850162
SSDEEP

49152:9EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfT:BAI5pAdVJn9tbnR1VgBVmhDb0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
2384	alg.exe
3040	DiagnosticsHub.StandardCollector.Service.exe
1608	fxssvc.exe
4728	elevation_service.exe
2060	elevation_service.exe
2360	maintenanceservice.exe
4172	msdtc.exe
628	OSE.EXE
4996	PerceptionSimulationService.exe
3296	perfhost.exe
832	locator.exe
4088	SensorDataService.exe
3948	snmptrap.exe
3668	spectrum.exe
3904	ssh-agent.exe
2984	TieringEngineService.exe
396	AgentService.exe
2536	vds.exe
4936	vssvc.exe
1572	wbengine.exe
3056	WmiApSrv.exe
388	SearchIndexer.exe
5444	chrmstp.exe
5644	chrmstp.exe
5768	chrmstp.exe
5896	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exealg.exemsdtc.exe2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fb8a108c293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exechrome.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c0f4e52fbadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610433828285613"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6c13f52fbadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af1f9f52fbadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051339352fbadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090cece52fbadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc357452fbadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065a8c752fbadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exechrome.exe

pid	process
3360	chrome.exe
3360	chrome.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
3416	chrome.exe
3416	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3360 chrome.exe
3360 chrome.exe
3360 chrome.exe

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4372	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
Token: SeTakeOwnershipPrivilege	2720	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
Token: SeAuditPrivilege	1608	fxssvc.exe
Token: SeRestorePrivilege	2984	TieringEngineService.exe
Token: SeManageVolumePrivilege	2984	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	396	AgentService.exe
Token: SeBackupPrivilege	4936	vssvc.exe
Token: SeRestorePrivilege	4936	vssvc.exe
Token: SeAuditPrivilege	4936	vssvc.exe
Token: SeBackupPrivilege	1572	wbengine.exe
Token: SeRestorePrivilege	1572	wbengine.exe
Token: SeSecurityPrivilege	1572	wbengine.exe
Token: 33	388	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeShutdownPrivilege	3360	chrome.exe
Token: SeCreatePagefilePrivilege	3360	chrome.exe
Token: SeShutdownPrivilege	3360	chrome.exe
Token: SeCreatePagefilePrivilege	3360	chrome.exe
Token: SeShutdownPrivilege	3360	chrome.exe
Token: SeCreatePagefilePrivilege	3360	chrome.exe
Token: SeShutdownPrivilege	3360	chrome.exe
Token: SeCreatePagefilePrivilege	3360	chrome.exe
Token: SeShutdownPrivilege	3360	chrome.exe
Token: SeCreatePagefilePrivilege	3360	chrome.exe
Token: SeShutdownPrivilege	3360	chrome.exe
Token: SeCreatePagefilePrivilege	3360	chrome.exe
Token: SeShutdownPrivilege	3360	chrome.exe
Token: SeCreatePagefilePrivilege	3360	chrome.exe
Token: SeShutdownPrivilege	3360	chrome.exe
Token: SeCreatePagefilePrivilege	3360	chrome.exe
Token: SeShutdownPrivilege	3360	chrome.exe
Token: SeCreatePagefilePrivilege	3360	chrome.exe
Token: SeShutdownPrivilege	3360	chrome.exe
Token: SeCreatePagefilePrivilege	3360	chrome.exe
Token: SeShutdownPrivilege	3360	chrome.exe
Token: SeCreatePagefilePrivilege	3360	chrome.exe
Token: SeShutdownPrivilege	3360	chrome.exe
Token: SeCreatePagefilePrivilege	3360	chrome.exe
Token: SeShutdownPrivilege	3360	chrome.exe
Token: SeCreatePagefilePrivilege	3360	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

3360 chrome.exe
3360 chrome.exe
3360 chrome.exe
5768 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exechrome.exe

description	pid	process	target process
PID 4372 wrote to memory of 2720	4372	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
PID 4372 wrote to memory of 2720	4372	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
PID 4372 wrote to memory of 3360	4372	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe	chrome.exe
PID 4372 wrote to memory of 3360	4372	2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe	chrome.exe
PID 3360 wrote to memory of 4720	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 4720	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3492	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3632	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3632	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1244	3360	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372

C:\Users\Admin\AppData\Local\Temp\2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_ea2c8a98c166d9c59846cf22789f7248_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e0,0x2ac,0x2e4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb610fab58,0x7ffb610fab68,0x7ffb610fab78
3⤵
PID:4720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1912,i,376722451769615269,7677026096738040875,131072 /prefetch:2
3⤵
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1912,i,376722451769615269,7677026096738040875,131072 /prefetch:8
3⤵
PID:3632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=1912,i,376722451769615269,7677026096738040875,131072 /prefetch:8
3⤵
PID:1244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2688 --field-trial-handle=1912,i,376722451769615269,7677026096738040875,131072 /prefetch:1
3⤵
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1912,i,376722451769615269,7677026096738040875,131072 /prefetch:1
3⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4312 --field-trial-handle=1912,i,376722451769615269,7677026096738040875,131072 /prefetch:1
3⤵
PID:5316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1912,i,376722451769615269,7677026096738040875,131072 /prefetch:8
3⤵
PID:5392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1912,i,376722451769615269,7677026096738040875,131072 /prefetch:8
3⤵
PID:5496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1912,i,376722451769615269,7677026096738040875,131072 /prefetch:8
3⤵
PID:1888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1912,i,376722451769615269,7677026096738040875,131072 /prefetch:8
3⤵
PID:4376

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5444

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5644

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5768

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 --field-trial-handle=1912,i,376722451769615269,7677026096738040875,131072 /prefetch:8
3⤵
PID:5752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2328 --field-trial-handle=1912,i,376722451769615269,7677026096738040875,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3416

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2384

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5008

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2060

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2360

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4172

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:628

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3296

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:832

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4088

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3668

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1504

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5812

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:6028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
3597af02fb9820f2722fa07362a55d5e

SHA1
d330d8b8dc86fffeba2e4cf85090e251e9c74cb9

SHA256
c10d0cf07a5d16855d6df21211fc741432817ebef7041de44df5b19374cfa210

SHA512
a405140072d26fbc6d6b3888da7759d23e1e5604a9f760078fd93a4ee2c073f00a977f8686f549efdb092dcfb06d7069b9bcd6a6e30bebda75184c9873034d34

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
94fc247ea8403b221483395d9bd94c99

SHA1
db7087e1cd2d26613cbbadd02e64d6960ec57f9f

SHA256
eaeb6965c91ce177cade787a809bd026c100cf7177e3fd0b9884f7cde57c5d59

SHA512
61eaa8386219943b7dc923926d846e61be16754f68636bfb408a8edbde0a82a3c18e692231eea17da6f76f3105077d8d7664e4c7272409a529f006bfdda9b20f

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
e2ccce79c031d26b40f21e230988eb2e

SHA1
101a67dd8c4a125dcc5d3f9cf4cf83ae0a78fcf1

SHA256
1dc2cbb2583559fc9b4e5750d33a45c03c90a97f0445598089c68276ca4965c0

SHA512
8f21abe9aff94f94d1729685952c1811a26b498c6aed4e557d76ce314e1117184d436660f045a44726c285b5e93ce8a06300c0921fd2ca3427c1272504d1f6a6

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
fbb1c59a3f5c98758084a96d08f2b892

SHA1
3ba18185e51db7bba17247130a8b21f2a6e991ef

SHA256
8ccdccae92f1c04bb387536a017e0b26157b1205b2d2a95955a885de8eb13311

SHA512
a34ec377a280929a1bd63c779067d42935d8653527dc1a63dd381909fbc53b66d19e88eb3fa4ca45524db57dfbccfe068c3fd457b58292640559fbe326b943e5

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
1955d92d83d1ba475675f79cb79beb3c

SHA1
22aeb706a80489fee2250f16ec5a0ed7a9852dde

SHA256
fe992107f713050d16bab83b0994fbfb991a952977c9a48b3283681f99812fc1

SHA512
ca80cbc74e2bc064b8dd1feaa1e3262afe7945908f5645411eb09849376bb8613062eb76293d028d4fa85ba892994f89c0dfdcea9756e836123e1f1f8c3e9d8f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
6ab890d0fa9365d2c48ef6ad8bf9543d

SHA1
e68294c72e5b6595ccde4f0f11c858223de80c6f

SHA256
44d50201b0af989a0a411279b7993e5299befa0da40e79d10998a7997f61fa16

SHA512
16c8ceacaa913c05ccc4c40603e0315ee2b6607a4d4fc4973043d050cd721a604cc5a66df5c6b62109de80631a524356203d952632699fab75133994ecbbb590

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
a463149fcacde747007af58f2c6d04a0

SHA1
811fdbc80177cb82b9c6c8c720e9827e69553c7c

SHA256
d193204f8a200d8bd2bf05f698b56cba07c4bd7d8ed230464d290e09b86a6a42

SHA512
329b4625e49503893501f85778d043b2180403eaf6089fdc3b7a90b1b22389fe6898c6f6f10b8f3f35a6ec9d346224297d1f52b53a4a99829ef80775ae2d51d1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
1745e941bade98ccac18748429e572ed

SHA1
127c96a5498235ac75c1a59e853d70ae2e6a5fcf

SHA256
056b8faf2da2677bf41e4dba8c1c01bdf7ef630ef33dd92e553a87287970d169

SHA512
b2516b7d5700326184ef7ecceba22e5d9ef4b03681b93ec145f1b1a8ae72cf28aa28ff7897046403f8705315f0b3d0e868efdd886a6ff1ebe93dce7599e89113

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
11ec82a94fd4aa3e2f4f3b4b69d24d22

SHA1
afe2ce53c35355e431a715c52a59b4193e3d68fc

SHA256
62eb268cbcd1c5e81c8e3f6e0eb4fb626ffb39aa0a936726bb216e91744b6e80

SHA512
7fd3f00d3cedc79f6362aca458d576e2a42e75865eac954b533849a02f814da317fbf7fab35d36427d64001c3ecc10b5422e79c33877e78c560be0f0b9387e5c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
f2b6ffe05439abcabef692141062911a

SHA1
80f5988a0a1ec000fd6576c0d025ae4a784a5f77

SHA256
48dcee9b3f1a76d54a5d412a4e5c836607f4a818a0f1bcff705bc516cb449aef

SHA512
5c1ea75917edd5efd1c7222e92b398c1911a7ccf2058c1ca676c54356cae3cd25806827af467ab282d1ad9c58869bc3da5053b1a753a0bf4316e92c5d9ec9929

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
13a572b3a42815452632ab3dc3e5cdc9

SHA1
1d62b801746b7a323ec0219898053241534942d3

SHA256
44560f518018282ccae9c47e20ae37f2ee2a7af34f44c14dd4b127ef023f33e3

SHA512
5139dfeba62bf8e6923c35a259cb72d29c4d42043b49ef9cbe9789e948d572725f9f20cb77cb6b0e829b3ef0d937027a35cccadbc5cbc76e96dfad126017082d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
c8f9fbb78843022b8878047f2f2e8d92

SHA1
b131604c169fa261e15578a19bb00710a067dab8

SHA256
212b2a69d66559791612e549c6263e5c1bf17ff9b1a025816e45554d7145362d

SHA512
746454725b617a16f792bdacc02ca94d423af2b9261e2c0c6253b2193c45e212bb9cfb9320dc478426a6534d530a4735c0b2dd2a278ce193629823eae444d462

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
6e5bece0d34d24d339649e05fd599a9c

SHA1
89744550cba1699fb6e59044ce5b7a9104c4b40e

SHA256
01ed540c87c5a3a95a584b1250c27fb6a5b4a0b73f1a02e46a0e7dc4e26c6857

SHA512
3c2ae902c4cf260384e2103e5f1c2baf3c4af0f46d77239c5cae232125e3e1a658078b6382f88d6cc9aaa5b0da523d2577ab26d17c110fd37414bacbdc6736ee

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
57aef9b1a6b68951d8bfa01f69bb64c4

SHA1
c71b6c43fb897b9fc64858919ea4609259d974ac

SHA256
9b0459132109b074dae073281af0c79f854948db5daf8f76df5995136e47b307

SHA512
dbeb3c504168e6c62cea63086a6558738ae22e6425e05f9584ce06bc668b892754ebae1c404fb97402ff524f132444321a60e61ae6d8f333cab81f7893a468b6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
a02e6f60746db63cb45b9fa9a2219cd1

SHA1
2fb7ae65aba58ac3ded0b15fd0ee6504d6c626d6

SHA256
bc8134ec456cd7212f50074511ae3f3918976e402e05c05c1b9c7bcd67fce3b3

SHA512
63a19de94ed1b9e3bee039df0760fcad5386dcf461b729b945c7be0c0db7e236076234dae5a684284bb16fd2d087068434026964fc664204fc1d20c8d5896d19

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
76e488b978d35b7345b4b40a2ab6b9a2

SHA1
bfdb561abf28a72623166b064e024e03716b6a08

SHA256
26b1401d288e26648413e4c941e137917abe5e730f61ceacb408752bda06700d

SHA512
96df2d9636077a6c19f8a6119d96e9db51be2928b0a04e3755d16a1af8c4ab6f0766212c65d8e79eade2b3e2a1d31a0953bf3cbdb2c7c6c09041b8be3b5ce341

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\2c4c6349-e822-4129-9df2-852ce1b46abf.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
9ece5bfa03e3d8c954abb3744e1c4540

SHA1
2a6f66fa4f36ad723768d41a505a5f26ef1fc4c2

SHA256
1b4058776d93e3a3e9e23f9b9d66dc45eb4d4396df48e593fd1e614f5b4fa1bc

SHA512
b691abcde30b1316406d38ddb75a1eda2e93c5f75f77d5e6f3d01a8fbeaebe3eb187a8e3670e94aa89c024bea86bf1258996f0ca7831e5af5b46642b0e139580

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
4aaa81882659cbb153afc742918974e8

SHA1
7361960881c1051dfa674870b3994420f05d4cc2

SHA256
ac12ef70b62e38061fa39ed3211877653e1a8d7407f3718aa67ee7a17e20c67e

SHA512
83898fad83fb8de255e65cf0cfec470d0c7a28aad7775d7b5e156940a1b0dda009a99580a15e43d4524389e84782bd1ec8c7418562ba82caa7dc9c1f9f0c6e6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
bafdc74f02b17427672d421f92b0b420

SHA1
4d81770b74952155c2b5239ce53b69a4e55c40b2

SHA256
dc4cf30c096de4592e8126b1680258323c19c178f69990ea021121761fe6ab12

SHA512
e7f4fafcd13247fd46acfc9d23fd655014f8f088d5ff87bd475655ac215136f0f3cb6f133818c9502cb6ae7cc5f3fa83fc5e9fd06fd1665b33daf15ec65d4a23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
67d8633ad608de91976da6386acf3578

SHA1
ef8fff2e6b684d1abdca4b2a81e615caabc9b9e5

SHA256
560fb8210ca35d611f8b9310ad0d3befaeedbe0ea0bf43c16222a4e97fbf2f94

SHA512
8309edd47f7333ca2e71961133dc3f709607c86c909206d38cc478e54a8b08e9b879f725337242a846119d46119e838882d14af9128f1d8702e10760d57f8205

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
660d4c981f9170f8c2d2f4f27f945b1f

SHA1
b8628f0937bf17daa256fb530d92656cad4122f1

SHA256
38445cffc8d7ee1de3bf547ddfa6aa5d8fd82bc14611821f027156221c07a06e

SHA512
6d4a2c0ab6757741be49dee4284da82dab41b0acbf2ff91d25a8223fe42e025741460a55f326b9aec048646a4d8c47a89f48084c5c695cafa46dc570c2f8b88f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57c033.TMP
Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
d5a4056eb88a8a94809c3d1f7a9a6b8f

SHA1
58f2db8e562e3d496d5eb10d45b575aabfe69b75

SHA256
45748bdf4cefe81a9e4651a49795a5d0cbf6c6d090a3289ebf6466c0d72fa4ce

SHA512
e90bcf65855970fb9700718613fa46bbf196a3381f1cbc89e1bc21d80ca2535bee9d4062dd943d7b2757501d2b85e5d76e413332dfc0e5a97324b01bc1427fc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
c3dfd88f8127e035d670647f236fa11a

SHA1
777b935637f1051ec6ba6c5861221ad75b44c3d4

SHA256
d7b70f46cce6a03b7d3cb8d67947ee592eb923f257b72b917f69c75eca7b076f

SHA512
288ce27b9618d638ff94df8dcdcc345f04cc00c72b95fbc754453db370233f57d0864beb70fc3c6af7e071bc17e224ffab95ed0d90cc22217601900d60128d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
8ee2bc501c2f001d4e966d8c69f7e212

SHA1
9e36b82b7bb83b4969bdc8c083c4c0a434f7e7d5

SHA256
e59063aee7724c588ec4558e2c9df33c0dfe1ca221e58143820128b82efeac19

SHA512
660d9e1dedec4aee718ae2e81d8d38ac5026a384cab4cf7235dd897d783116b563fae8712335512a2db99c374e102fc51cb58c9447997dd83b0bc1ffecec4aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
26dbcdd26693727ae592b0e8c70bec85

SHA1
dfe14091335631c3743687362914c5f455f24aa6

SHA256
3e080554744d63a93583250c515a610037e1718197d32604d5b3b28182901fd8

SHA512
0d3e92bafba9fd7dae1b65e6c4813fb7697f0660647aa93d8d47b318d79c0fd7ff83f513c87408ce1175b9042fe0b9517e459455fda664ab21f209a9661354dc

Download Submit
C:\Users\Admin\AppData\Roaming\fb8a108c293b476c.bin
Filesize
12KB

MD5
2c5d8f732cb80851149a6481e1238e60

SHA1
e43e85ef4b1be950a9347ec5a4b2fdd10e51e155

SHA256
f86ae6bc30c3c3e48eb111dfe84757e9eb9603aab70df7e0aaa7c019bf357ce3

SHA512
9eb4d6a78e417ff1f95f7bc0bca4fdd34c9792d053aef8ea44bc8632196bc156ef68eaaac7c80d27359b66768793adfc726d80e31cfd3415a228fd7d14830f04

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
3d376aaf44e78dacbd887de34310e0fb

SHA1
3692bb5e45c9bc86c5611933b8c1ecee631a74e1

SHA256
e1e2c6dd17f2b91159077d528ac765217c314a113c97dd4179217cb56e0f8b7b

SHA512
c3c168b888be1d08bfa9836ee1628760e6111eaceaf7ecda4f117eabac59172d4fba3bb8c03a1e655cd399b1af5efb9372b32514485c1787fd03cd876c91f20f

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
b997228af269de3592e25201d64c4e2d

SHA1
51b3bc97ad7b69a85d3bcd96852e9d0ea51d42ae

SHA256
7f4163b6b50025259f1fbf1ede0c571af6d39dafefe88f5902bd22ca03b2eada

SHA512
d49240380d9672fda6fab41ba5d4faf3cb35f4a0481a1c5108966de9b22aa3f693b84eb35bb7fd151b32968261f6d1b86dd3e96855dad5234268f70a13d9402b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
9ff1e8018e247b6e1d2a4f7fe01a5fbd

SHA1
1c7ecdc96425c489715d056137e3b4caee701dc7

SHA256
718bac00d7c6e23f790710c8b922eeb2680bf64ff6a58e9d2571db5b609c301f

SHA512
a887172a7d4c932e19764affdf93b250265bff9068624c4498fdd7c3220c455c098ba0fc834aeb8c69a232749f78529e6e2feaeb74d20112acab4a5832b201eb

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
6b0c2faf8cc71c28ac76c88c52739ba8

SHA1
f7de23f626ec24baf9b5e5b843ad3bc07fe05a2d

SHA256
67d1b7f7e7c39d3ff40135e367bfccfebd7a5a81891e4f1e9c7adc6b1cf911b7

SHA512
fb6912680718ff73d0e795c8b632cb75dceb557588e63d6c8b0f1fe8a4ee0855ac77c73e7883a78922233eb3f8be357be82d6307ba4462eae1d7c2f55d3b1fd5

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
a4769ede63976da221c3897bf4256355

SHA1
a9efd39abd436e34ab864bc0dfa59b38eb2267e3

SHA256
ed7d3ef4e5d4411c868e31b6c626d868af0466ec0f7b6f1fc399f0128aad1c4a

SHA512
9df1bbbf1673f7492ee7efa8ade778240b73a09b85f9f83f6bbe9150f45f4639b7b6d0d616c516fe9ecfadcaedc7961ab9a8ae8501e363f8608017c13a8c9657

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
6866c70001bb42d43a27e3e0802a6057

SHA1
1639db16cde752524a972071618888de0ef584ca

SHA256
03082226dc553709f421175770d484601359e9f74b8d1b2f0131c07cf057d693

SHA512
f83466141932eb913be1b22c1c24184bed318e126e9400fd45fe4aee29312fd7075c7ab9cc3f8b661a97d54eac1384e66d9eb689efb92b6eaf279a38f6d0af1b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
9825cfc7820b3988d2916ff38bfedf7c

SHA1
3b6a4d24240ac753b6cc1092c2dbfa1f8eae714b

SHA256
a3de309e2136bdc5807e62a89062fc363b57cd8a804280f28c8114e155c1ca2c

SHA512
d8635aee83901bbdb30b1120bef436885ce42518d7cabf40df4c8002af6d697f63acb4b0099f7e03950861085ce188d2e54f4cbcba921e33a6a97fbb42c41984

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
cbfb9ab7fabaedc66a95ee098b27c102

SHA1
8d26e33e13a1382433d6422999b21304ce79c0d9

SHA256
48dd282453f7006fb1703ed1cbc0b01adb68994b8e272b722b43714e6b1d4d77

SHA512
390042441338a458ca8c2dd5808641fa8b61929ef5744ddfa09e0a2c9b1a71f167725f05b2e1e2a9c996218698cea30d6bbaa84d14bbd163ebc7581d6228041f

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
a840ba18515fc960b5769c715583b3f6

SHA1
a152bb2dae7b58be86a3dcbacd1e3d1fb6e564e3

SHA256
758372f405cc23a0ccd946efd5d2cfaf51cfe6bb7cd5ad0bdf0aca6ec83883c0

SHA512
771587fbe5255b9cdfe7208df4b85a73773282bf90234d240cc1614225fec31083564a395df987b78fe4683a7349d2f373baaa36b8dd02711b9e3ab6c981ad23

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
378440308be53218f0fbd16ee0bca228

SHA1
1a959921607c8ee969548422207fe03c18547fdc

SHA256
ece227c05465628b3c8a148346482c68fdf174312f73fcbefe2923befb4f4dc6

SHA512
0d858decd02032fd8da591d6b0864953bb4737b5e3cd630da7ff8952e6043519de00c0f84a32ed9a484c5835b2ef676ed33e45bde03e9e4d384164e49934222f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
f9615c11d90d670da335d160bad51f97

SHA1
754d06cda52201182925a0f175254e6fcbd88b30

SHA256
b50dfd88dd72b1c0345b90d206bd37be42e88742cd96b9b0ea8f9dd7fe3203d1

SHA512
884a19f6eb6c67d7c7966362e3ce8f326f508bc22e8c992c0bfc907a7444d19f90ea12a41770a2f08e1804a05de9effaede2e5192b143ff7ac1daef63e087c01

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
5a1e1c0d1233d280fc3242228c597165

SHA1
2dd2064b060cca71eb8bdfabb66ee70ba01b13ff

SHA256
edac1d875d5094fff035bc76f3b5c9f4192b59b3d3f1c5ac56094f556a13697a

SHA512
4669fb5933567f4ce471bad91cbf1a48f66b451cd3d7f514eb8c27532ffe3f77a17dfae0027286ce7148e03d718b112f007cbfcfda131e4d7a40a77afef11b04

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
6790f0f40c015fb652b38bdeea34450f

SHA1
28b9091161b7ec53499a9b3723738901ff0cbe92

SHA256
dee435b9beeee5241705488cc4bdd70ede4c77467cee79665b8b88fb2336bfeb

SHA512
e2c0eca3cba69cbdb728776e70dbebb32b757602ae29c76ffd91007a8c47bfbdaaac91fa0898f35157ab43c243213e838e3877a92f111e5631c005b496d9f1e6

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
4701ca19ab2366ac2375aabb74714ffc

SHA1
473f7c228ede21c4df81a26042516849c0de4804

SHA256
9b9c75cff10b83c2dbdc369dd782f0ac4c9df169aa6f789138f7155afee9b3eb

SHA512
8896f8e039c8a8354c07ab7d0bc06c34ce9a48d570dc9b6992a5030c51c7e9509da9089f853fb71c3354e7899d0161f07aa92cf487f2440062095cbe1b197f5f

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
0fd3955b88d66b19876393afb57ead16

SHA1
e3f1494e62fed4de1a1b64c53ef9e27b0d51101d

SHA256
7977e3e1eb1990f79f6cacb6822b7d0a1fb8f504252d0dbc01b9161eb42a5226

SHA512
59cfeb875fc59387e2003eb439b658973f37500fabcff7cf29106ff7a3fe7089a495b583acd2aaadd58d4c3441e3cd081bc1c42a321435d25aa41db05008a7b8

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
bc953d30f864cd9f17137e18ec5ddbd1

SHA1
1480e51a4750f3ad1b9a2ca50818884dcc263c92

SHA256
080f32a0db284bcff5069b1c76686efd6108f01fe5eb30ec051ed4932dd79778

SHA512
b3d8b44114a57368f8eeaaf568acbe02de159682ec7eea4711959faf4c75aadb601b9745dc50e45366fc114730a6cfe56ce14ba5d86c081e1d90088aecd1ce39

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
3303da6ac12c563d33d0793404b33189

SHA1
c022d6d3bbfa537872767a09569dca31fd74ab1d

SHA256
5622770a73c4e4f3e50ca6bcf4d1b1b1d3e82eb3d9ab179fe321b244cad23959

SHA512
e266726d9d5dcc5e64ac78d9edd35555416505059a35db811b8e5978b62e9df384705ea2cf6c9092bafac63011d0721dda0147e2b0d3a6146d3e444383873b6d

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
077c2878bc37cefbe45159485294f98c

SHA1
2bf21abca28e6995d83a1b42ab7e8c8a7f495da0

SHA256
f6c259987a153749ae74878c8cbced8519bdf227ec28ce1e3462635c0da25ee6

SHA512
cc5a8ec33458cff161de73571f241e1360b5aed31a2fc35f68b0a03f872b2daf7367d9d1835c14d9ae9ee028817df773dedf3c490bb450c8ff755accf41ff9e3

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
fcedfe9939a5c7f7e24bc7a80568aee5

SHA1
fbc9b1c7ad0540e06ee0ec867d8c068ddc3385f6

SHA256
21604b1f24e3acf2cbaf981347cdb2eca334227fef1274bb227d829efc00f8b8

SHA512
3fc2b5a678c6c59fd7d8789ecc8d3a4ff9e983e13d08d558b111e13e864da2859b76b60c27b5167d9c113e7e1861c1a06e3883c47bc965fa6d415506cae2d6ce

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
8cfb5d7ea2adea05ca6e8582ada96754

SHA1
fd28e5f9d388a811f2971b738ca51bace283542f

SHA256
f632222e2d569959d978a76f6945468daa943a07b9dc0b732d67de8161ea64bc

SHA512
9db8a371fb513a2cda2ee6fefa398f2cbc2198eda0a9d7d938b87bb7f24b9109fa0b9aeff86d4d60a8ed7c17c036ebb23250c1451334f58ebca476b2483403d3

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
b782555ece64a37cda0834d9dafbbb32

SHA1
6315c19d50b8ab7741c6a683fad50f33677db63e

SHA256
92493da502ab0c05d8c862468660792dedd04cd787e106b91a715d43e1997f91

SHA512
9647f4f6908f220967196c0be9eaa3065864f94a1ece1f04a495fead6c341c95c3ffaec26b2cd35103f1eddf32efa0ff40db239abcbbece80a9dad101583e43e

Download Submit
\??\pipe\crashpad_3360_KBEBJVENUKAEGIJS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/388-696-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/388-377-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/396-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/628-314-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/832-317-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1572-332-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1608-56-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1608-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1608-75-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1608-62-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2060-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2060-311-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2060-695-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2060-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2360-101-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2360-89-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/2384-37-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2384-38-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2384-686-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2384-36-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2384-30-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2536-324-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2720-611-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2720-15-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/2720-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2720-9-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/2984-322-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3040-44-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3040-52-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3040-53-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3056-372-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3296-316-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3668-320-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3904-321-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3948-319-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4088-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4088-596-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4172-313-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4372-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4372-18-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4372-21-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4372-6-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4372-28-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4728-66-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4728-312-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4728-72-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4728-421-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4936-327-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4996-315-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5444-532-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5444-591-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5644-697-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5644-541-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5768-565-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5768-579-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5896-698-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5896-568-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download