90fbed388cc7a901f215d9c4b72fdd5eb35f7ad1144b63b40331e7fb025cfb2b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
Size

5.5MB
MD5

cb2ff221d79a85c3428e2ba1ba423ced
SHA1

7ae72c843ce42c56ba9aef496bde72f0cc56a5b0
SHA256

90fbed388cc7a901f215d9c4b72fdd5eb35f7ad1144b63b40331e7fb025cfb2b
SHA512

d098638a57ea880f911563652c7fff4c9c17489e2571f984027ac04df79a0c5dd36be2a65b103e7d8f59a82861d2375236fa50bf7d02832bc3c7e185fd58f10a
SSDEEP

98304:wAI5pAdVJn9tbnR1VgBVmdU7dG1yfpVBlH:wAsCh7XY8UoiPBx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
2844	alg.exe
2132	DiagnosticsHub.StandardCollector.Service.exe
3300	fxssvc.exe
2408	elevation_service.exe
4200	elevation_service.exe
3576	maintenanceservice.exe
2980	msdtc.exe
4928	OSE.EXE
2700	PerceptionSimulationService.exe
4636	perfhost.exe
4912	locator.exe
4820	SensorDataService.exe
4428	snmptrap.exe
3984	spectrum.exe
4688	ssh-agent.exe
4680	TieringEngineService.exe
3492	AgentService.exe
1412	vds.exe
1020	vssvc.exe
4460	wbengine.exe
4304	WmiApSrv.exe
4424	SearchIndexer.exe
5968	chrmstp.exe
6056	chrmstp.exe
5260	chrmstp.exe
5444	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f912d992293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchFilterHost.exeSearchProtocolHost.exefxssvc.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002dce8fb1fdadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032a788b1fdadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058f696b1fdadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000950ee5b3fdadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000469cbb1fdadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6f3b5b1fdadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000282cefb1fdadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000667cdeb1fdadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exechrome.exe

pid	process
4684	chrome.exe
4684	chrome.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
3936	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
6576	chrome.exe
6576	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4684 chrome.exe
4684 chrome.exe
4684 chrome.exe

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	532	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
Token: SeAuditPrivilege	3300	fxssvc.exe
Token: SeRestorePrivilege	4680	TieringEngineService.exe
Token: SeManageVolumePrivilege	4680	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3492	AgentService.exe
Token: SeBackupPrivilege	1020	vssvc.exe
Token: SeRestorePrivilege	1020	vssvc.exe
Token: SeAuditPrivilege	1020	vssvc.exe
Token: SeBackupPrivilege	4460	wbengine.exe
Token: SeRestorePrivilege	4460	wbengine.exe
Token: SeSecurityPrivilege	4460	wbengine.exe
Token: 33	4424	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4684 chrome.exe
4684 chrome.exe
4684 chrome.exe
5260 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exechrome.exe

description	pid	process	target process
PID 532 wrote to memory of 3936	532	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
PID 532 wrote to memory of 3936	532	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
PID 532 wrote to memory of 4684	532	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe	chrome.exe
PID 532 wrote to memory of 4684	532	2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe	chrome.exe
PID 4684 wrote to memory of 2900	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2900	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2564	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 372	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 372	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3264	4684	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532

C:\Users\Admin\AppData\Local\Temp\2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_cb2ff221d79a85c3428e2ba1ba423ced_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a478ab58,0x7ff8a478ab68,0x7ff8a478ab78
3⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1892,i,4976754970942764728,7937649761240747394,131072 /prefetch:2
3⤵
PID:2564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1892,i,4976754970942764728,7937649761240747394,131072 /prefetch:8
3⤵
PID:372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2072 --field-trial-handle=1892,i,4976754970942764728,7937649761240747394,131072 /prefetch:8
3⤵
PID:3264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1892,i,4976754970942764728,7937649761240747394,131072 /prefetch:1
3⤵
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1892,i,4976754970942764728,7937649761240747394,131072 /prefetch:1
3⤵
PID:3616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4244 --field-trial-handle=1892,i,4976754970942764728,7937649761240747394,131072 /prefetch:1
3⤵
PID:5128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3916 --field-trial-handle=1892,i,4976754970942764728,7937649761240747394,131072 /prefetch:8
3⤵
PID:5268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1892,i,4976754970942764728,7937649761240747394,131072 /prefetch:8
3⤵
PID:5276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4068 --field-trial-handle=1892,i,4976754970942764728,7937649761240747394,131072 /prefetch:8
3⤵
PID:5792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1892,i,4976754970942764728,7937649761240747394,131072 /prefetch:8
3⤵
PID:5884

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5968

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:6056

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5260

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x278,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1892,i,4976754970942764728,7937649761240747394,131072 /prefetch:8
3⤵
PID:5224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1848 --field-trial-handle=1892,i,4976754970942764728,7937649761240747394,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6576

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2844

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5072

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2408

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4200

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3576

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2980

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4636

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4820

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3984

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1924

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1412

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5592

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5692

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
a1365a87a7c8fff3e718cb292f4251ee

SHA1
925912fb28be88810da447675aa8925a02afe24d

SHA256
5d17d5a2d8213eb51f60839d24ec775f5422e5635299bf24c2ec800ca31ccc1c

SHA512
060c06908718d31318afaed6a31154ba96d952bddafccced6c6a965bba05fb050175755b6b6b40fa4d789b0a661b7a97b9a2dbb17ef93cf8ce3f32875288b34b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
0115b8ba49620c1c6677ce31dc60561b

SHA1
535589da7af80eb4de1fef509a91f9b0b4f3fbdc

SHA256
6a93a88ccc2bee376e4c2df4ee69b1e7dd720d5db1e270e9b7eeb051e8cb1c49

SHA512
ebcbe7e4f2e19523bdd737e08c6244d141c90b9adaed66ac4712988d876d79f286b5652aa78f17c9a3fb3940f458a11c47679e8b05a1cb1d226959bc2282923e

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
5e54df95a6ef57ff42c65b56858c3400

SHA1
cfb1be10f352b32e8ada8f1ebec47129b642f4ef

SHA256
1d67c102b491cacf46925af12d54b9868bcc230b5e16deb3bc90c40722bc573c

SHA512
06c0809c8bd077812d0308887234539e3d9dd93b52640d655bca9d0d7e5488ed9b60ea371012983d5c618c0a313b3557f2e4e6abcfb073f77fc6f25c4704ad00

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
9a54c948e867c97b714c5fbfbc261281

SHA1
aed84a89aad5ed721459229b6ab260d620ccfd14

SHA256
f1a856d6a40d1951a72af045b9a3347cae34390d090fcdae5d97c20cea9ef336

SHA512
3c3dcd4683d8a099fb2f0e870b827fd0eeea4fe4184ad64d700f5aad6aed0b49ec5cb2503234badb8cb93365b34ac094caa864b6c0454d127a13289374cf1039

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
2746cd3950aeb98df75fc705cc5f9ff9

SHA1
cd8305f72789cc41741e16a105b33b12899b59c1

SHA256
444d19034c4db30f36bb6d2bda0ef8861a13158e446c0501a76e093ce22a3601

SHA512
f3ef435a7ba24d9ca072e2ff32f8ed1630857bd8f122d5c537d4a05afd4432cd0bfe891c71125b6503354f12b79841b17847ab76c18cc1dd59d454e5de6f542d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
5a613484b7cfcbb9f4dc4413c41d4847

SHA1
408d7921263f97e3cdbf9786ad889a5e853fd28a

SHA256
7d3d9ed47df30ab7812320616b947a03574e4623566ad2398bc5595d8157e0d6

SHA512
639cdd4f92e39397e889ff615513db53437f667713c51d270d28a148b3047b11bdb192e22d4cb3e9ecb3fe137f8fb807d3c39441a65be5b00700015070dfa666

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
0a34e6a87704c8db31bc33675b63cd07

SHA1
00cfb8fee9c4e66a8dfdccab0a03b584fa20d036

SHA256
6136ad1345ca86c9bfb554f8ba215c17f413383c3a421395a9e40beb4f645a27

SHA512
9177f9f1cdea5d6ffa05195cf615c382ec291f6effebb4e726bdb5628c130cf0e15e3ac5e3643bf7987d9b23ac682338c2451018cefce50ad69529372fe44744

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
7d90ac75324d19c8a082e0c4bc70280a

SHA1
5605dcb8fa3214f2b14f8484c75c8984f11b3961

SHA256
e658d4c0a81894e033f3e2f7c14b8ec3da9ac2024af512d0f8907d64673d675c

SHA512
797c161be3ec4d0b7440cb2545a5a2789618b3f63371eb8977a7ab64e4e99f684e8d61b5215f49a6aad2e1c82153461f512354e029c2d55c68e1894401601b4a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
b0c741c421bcc011bda4b7e9b61d9539

SHA1
3a9ab4d6867a4dff7b155f3e71e5f52080cd8aa2

SHA256
097ae3f66b2a905cc4f7de7849472809b1b0512af45d00068d7285699389adf5

SHA512
4521f83537b09db964a904f76d8c72684bd62a94b52ef5361d1f3f2e0b2e46bfed5576cd82d85824faf3a4b1f36ac5557f11b98d027595e0ca20d540fdcc96e1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
098b97fdd03b02eaa94a3b1e07b72f89

SHA1
0003f9c67479e14a9ce8be8f404b8f43f4e7cfb4

SHA256
655ea777bd8e5ccca782ea2365b8e4d6315c06f4ccfeed27d98d5b6b0d6cd944

SHA512
5b736689a18e82c104e084df98517587c592fe2f9418bbdced2a2ec0cc02b4bc4d4be1a535ace5ffbfeabb714e752c67b7aa766e8ebf0e663b09d2633f7363d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
8bcaa402d63d593cbb12b44c0eab6a9e

SHA1
52338c079f99569e6f777e3a2f59d6efca376eca

SHA256
14e1077a203d3a150290034fa80986ab84d0fae9e61dc55198f42d061250d702

SHA512
b8415839eb6edfa83d941564276546b01412109b50c3f22031a889835dcdab8ee7da394908152911ad035deef8d3ef747548816d155e4a2ad483a518b9fa1238

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
884077d9c85e7a1293b550810369998c

SHA1
9daf12d31296ae4b33dfba90811151f2951c747c

SHA256
172c27bbb471310998500c72c2e976a75bcab17fe72ee8be420a58799ad0d1d2

SHA512
2397ceea371293320b90baad6b6e7b97bd5d9beb3c75f9349ae7d491669e379daae9b78aaf0927023f15e0a13fb7f5c808b1f0353d4acc4021efc2c36299584b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
fd02ab502cc06b20019da69f55dc43d0

SHA1
6181caa4a495da9e60b66cd2f5dba37fc26820b8

SHA256
6834de8d71350f0738c5c308ed697c771f9ecfab241181950c5a57b9a00023e9

SHA512
cbd921ab6f62e1dac271ab37b63440476958c9ef0650175b544b4c5b995683020b15acbb12705a6d28686f5a7a4b4524c416218aa2940945daff1697bbaac098

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
935b12a20297a7ed70c4a3c35ee14274

SHA1
bd6ee34583a923bd9baaa077da240c22df9ac520

SHA256
2bc87134efa43f934b3e4de81b21c7677d1d8063fabd25d47ded975c74d5167d

SHA512
55a6bb7eafbbd06fe11c9a4dfd14e329f84a861921f6e9803e5a9b1661ecf3eafb047ef4d5e6adea2da21042e38d9c26cab12d66e04ea1879c00e6e5a119c105

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
c5586d921c4ca5e8be538f9432deab1a

SHA1
737c170dd8e56f70733042d9220ea959849c3537

SHA256
dc39a510527989ff02e730311185a24f0f74dbb8a8adfe7e6497ff2cd863f77b

SHA512
708eff7b09adab96fd59c53ab87cc7905c77ae50433c081b38fc489b5faf9fe7c924e0a23f1fe32a3fca93e80c821ec0417914160e5f41659e168d062262a17a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
c518da69a13efe07b7b7a094824e5328

SHA1
ca6806f01b983126adae94d89142436a00113eb5

SHA256
a8c17a29da2192af1bd3313a060cb538875c6f51498e984c7bd8712957b569c9

SHA512
44444cd44e4c68822d5d4323c566ce3ee6d2eddec0e12727657135f992b35680d8c08c318e6a39b6554ece6f124a200d283fe8bbd3d57548bf23fe2e685b0a9a

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\b8cb52d9-7f36-4d3c-b0e1-fe83b7f58bab.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
f5eb8b17ca360fd3579f75484b24811b

SHA1
6c2f4d4aaab8a54956390d012033593e1780efc4

SHA256
389bed55d2db11ec007a2cac0ad07166a38960d3dfcf139a033db60de0e525bc

SHA512
bbf49b947ec655486d2a9e2fbcaae5c002b078f389f63e8b713c6202da97db7779a05a3fc5a4cebcd9916fed10065e63dfced8d1523f07cfcc8e6ecdb8fb426c

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
1db33e40e2d2bd156d666406cc520a8d

SHA1
2011279df1c80e93a1e6b0f60befd5037e7d83ba

SHA256
485aca62724e864cca40893bf476b99fbe4dc25624dc06a9a2b98409cf7e21c5

SHA512
24e1141367245e47cff5a5c0890371b6f5cb634b259974c9d600ab85f7e421256c3367aba1184d06a0a66e9d30841e369aaa7fa14e34fda6f0887e80ead7ace5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
9fddcb8a97fefd3695007be11cc95bc8

SHA1
914733da05cc253423845e344c538dcaf29a3ff2

SHA256
f7e5a004e22cd13b68e41ac0458a69be9f2d12877a1ccbbb83e8be715d7159fe

SHA512
d9e10911fa110e7d59032c1f3e6231d0577f0120ec29c03c0385fd66b6df84a40386ae8d87968b1d10b28980928250fcf79dd7f12011ae3fba839c4e226e7b5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
6782957a62eb55cee9a4672d4f2bb711

SHA1
df87dbf197c9adf04cde654812f7ef954bebe104

SHA256
72fcc113295b08f63b9c920c9362a1556bb367bf7d7d79c889102a75dd94c844

SHA512
ff66304ab74e32637fb6fbb5164d69c4d32203a73091cfc035d56aaeecc27e1dc9b46675d7543aeedd628e1934d4119503c6c675a671224f46334fa1b7920d76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
7b0bc7c944fdac53d9358a9f38e7178e

SHA1
c645a20594dba3aee669a953e6f4d0f6fd65b625

SHA256
5d2ca38fdce9a5f3afeb83463e6a0f688cadf50d379508b65cefb0ec7e8e2ad2

SHA512
16f2f5450b8520d175d600d983fac3f5c9ca8a9a6e4104523b1ca49560e8c7e3c906a3b5ea6e126b42d17e7fc98ca2a5a89b3ad5c6003818ae2c1965287fca56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577b2b.TMP
Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
46ccd0b5bd95b21da881ab83f4036076

SHA1
74c5ebfb15671362948eb9ff02b596f33b1df1a0

SHA256
8f3c5a13e40e20cee1f110b18ca6a778a4b150cf1b13c28efb2497bea46fa03e

SHA512
3dbb5039d645bea19e02a8d92b1eb1682cfac57345c0672fe48e2ab7405b9fa2ee76d31eb1dc8f92fffeda7925c0fd652d7b1c0319e26f0676a6a2b600d4c705

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
f49ded8018d8bdf8bf14eeb332eaf8ff

SHA1
29a4f97d9b37b1c18ea250e6e34931097e819286

SHA256
edf96e7009e5390082c67ea6299fd887f801ffed3ba7552d47480538fabc7dc5

SHA512
0efd6bc7f6fde7e5a7c2fc8fde6e24cc915e492713faddc0c981581058ce2575d7cf1d331705c3e602b10e5926584142e108c32524a7dff5bd6d2f8276dfe928

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
e4c1ef0ac6ff0051269e8024fcc1e780

SHA1
a9283749cf861007436963cc23f9909e5825dcbf

SHA256
ed5cd01f7f360a8e90879c77ca37729464a2017cc1533fd48e339f2e32bcb6bd

SHA512
647775ef61c4f3c6a290f6959321ceb93221161ec3dae64d445ae9e17680901a1fc1053a946f618d9a3e7b0ebe6008a16d36bc38b0d0257e8e0424d6a1b87d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
c4ca3a2a134bbe18d63043c75125b402

SHA1
508d3f05d3a8563677a701e1c403e2ea4b44174a

SHA256
1f841fcb639a5be5bdf766b2424e9fe16f7f5398ef8fefb1cad59ddc55ebd701

SHA512
d3986952b3d60dedffec57c8fc5a8cf26e35753f77a1aafc23ffdefc68674914f6a8d78dcef6ffd8fac6c440c761dab87485bd85b7f56fee9b5badc148e99741

Download Submit
C:\Users\Admin\AppData\Roaming\f912d992293b476c.bin
Filesize
12KB

MD5
9139968d614a3248a233e1f08f93ec90

SHA1
ffccff212124d5173e630c78332096b78b2f43d7

SHA256
3cebf5d4d13937d44badb896524bc836c058119b9dc46d5e716c9135fd3cdbc0

SHA512
6a74fd153cc1621cee7285186ecf5e3de1c1095555bd12b4c0e99308be78d04325a21307db576218e078a1d772e831dd16c30531e2a3d6537e215dcedf5389b3

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
f86c66e19bfa752c4f942db78a88c22d

SHA1
84988a914302da4fa6b84e44ea0ae2ef7a3debb1

SHA256
7d5f529ccb0e13c53444bf999ad143af9daccbdab3b8b3ae9ae6e38a54d20b23

SHA512
c4d8de7b5247cc391684863c7547ef9d233c2c561eac577f49a5ec9baca1a07f9d16950d850064eddada0b1a28ea64feb09c0c0e6b98b462675c626e903d0ac3

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
74276d360b100fb8d46c7b570a97ef53

SHA1
0429dea9f3602299f81accf7e566a3d1aa35b691

SHA256
de71e70286c77c41d46ef4bb7006450b48c733fd63367d16f01c78acfa5e87c4

SHA512
79941a3896a2dd36bab556d6d4dd7a33df62fc3c47043a6bdc17fd878320c5378c1df481223284bd7d788694d295ce2ccb51d3a4353fbe41a330a257d952ba96

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
3d3a2d1bb978e3b64f8cda530b4bd6fe

SHA1
e60e94d3736d1645f0d1e250b5f24f60c10b1e75

SHA256
d0714b0423a53f1aea4d3a8460c9f709f118138f8bbb010d8c89432e53b10bc2

SHA512
299c14e4bb5a4b8baa74856fce351b538b75fc0712be79043e3c1540df6a99b72681bf9a98679c2ef8398913d14e1e8152597a391439b33330b5e46ac283ff4c

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
79b40d7e9500e2ffd89ac77c22aabd99

SHA1
403aef30aeb8d45bceac55086482b3bf82fea35c

SHA256
b6a030f4a3a0df45797c1a92b677e31cbc5bd0d28b06a8372e15ef36256a91f6

SHA512
aa8c287654fdeb8d1766494538dc6a212742b6587dc2c9f6d3ef1ee2e497b5fd1b8b51f631bbdd51d8a244d8c0056e73a1ad75c2bf5b54c62460539a8fa57cde

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
6fe14cda407d6de19ea7e0ce6f430ef1

SHA1
364346c47b1f2f62b413c5c3706898c02fba071b

SHA256
f63d5e9741f0c8ac4032556174e7e5f9ba14a161e90297dc0108fe8adeb978b1

SHA512
82a65f4a0100ebc02280f851d236687f49aec66802ea3ce47bd908edc021839dd4b660d5cb03cda3af99b4dfc5875a0d401ee9db0ac6c761db14e3f976b2f9d7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
74687cf60650e0ac7d4690c49085a27b

SHA1
65ca6c9ef03d53245ea1b7f63319caa3e909eb74

SHA256
baa580459e023e5ebdad800dea86696b2009c95df022f4cc501f10bb3c0a5ac2

SHA512
327e0bb8834dc9a3c0074047126f3ccd1b77f799cb74ceeaefda89e7aea1e38762010552388c9933e8ca825326b6907ab1144fc97047de6757c1e5454c095b30

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
602878252e10721e82150ac6041d16a7

SHA1
2031129be59f7c4f87560462a08e207f62cfb9b1

SHA256
98cd71e5cec2e8d392d6eb9e6e9fda59e3cf36a366eee98dae0b1fa178c53cd8

SHA512
4017312287edff044e2c77c0225fd74b568026850b6e65177c5b2e0f715703e035f58e94f165f04b9fe00f526bba34e503ae83580a5c6a970ebeb965d4756477

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
2825289c921c019d5279d5a25643fe3c

SHA1
1e745a09e688ce62071d93ffe2834a6566d36c9d

SHA256
b9b3d14c721d6334bd4b885a182180786beed4f17a1cc9b316e6904ab85f614c

SHA512
74bdfe9f77e4f384dd79bc544901981ad22c44254be5cf315afc7f8b76e24adbc4fe9b2033ff7de320ca6be1861f409fa77beaa8c276cef617a6d4e6612f78d6

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
fd194c4ba1a62f715f7a9c10051fe49a

SHA1
2cb94d53e9a30d1d5f8f891d8eba91223f2f01d8

SHA256
c59bb270ca85f6292b2b401891354a30cb0f53e2674561c67bec2f21c2c607c4

SHA512
f7b5006c794b109bbc6284b5df83b2f7d6030157a790396348a52b5181beb31cf8fed17e1b289d1c5c39ba3e42f9ef13021b92cddf30c369723040c6e7980a7f

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
4463530a2292dfa05ae5ee89fd8ef811

SHA1
d43c7b2ea99d55b75a8eec89c5e1f5d1a0016166

SHA256
58da615508b1e597401f3214e45a6c802e2b7204a38e2c2282bddf52d2d6674f

SHA512
cb7c7f975af84f467ab57d8fb0dc882f26c3b386fbaf7c9535174460dc2098616772fdddaa3be0376c67e7b05fb4ccb2216ec3bb7c6fdd43bc39c1c5ecb6e71c

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
b771545adf54ffcb2dafb0c0997df6a5

SHA1
e1e10d16a1e1aeefda9d0230da5244f0664686a4

SHA256
4bbeaa1fa75e18c906c3854d39c0808dd4b0caea0f15047ffbea19b88f8cfa77

SHA512
531e7aba56a41868dcf227d898316c5bbd5be9cd8f37e2d83c304c7db2a4f113aa0618759c83127e51b72930daa5ce92f651eccac6de8bc640d2414ab4ef08df

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
c6fc40dbd06f689c40d1f29aeed3bce5

SHA1
651af04948ba5cda218727203696f02d581c7b21

SHA256
6d33e509cd21cc07179976ffb4d97ae5609c5b8763c7a72abb523529d249f609

SHA512
93d3916fddf608f3c5e1f48bfaedc44288dbbd91ce65121cbea728aa9a7e188713abbfc87208bcce94985b768e60228f6407ecf301a4288125cf67f2c7c08f5f

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
7bf7bdb81bc7cf6f0a975df583bc64b4

SHA1
a28ad9878d8744d819ee0dde41c4bd3dc223ac5e

SHA256
2af8823b0cc8f1aceb3511f428bd7e761b5800bdea24b6d9c308edf580e78a8a

SHA512
1b37f27de842b85797a02489001d9ebd81c8e193ff26080534527477dbbd3cc7681303109578b82d434aea1b6adea1b6d83aec68bd80b5335710587e083199ab

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
8ee3b2b81a23c7aa0727478ea5c00f98

SHA1
4043775c7a3dd5dd4cd45d092345b3075d1992ab

SHA256
c1f717c8b2e84f6f223f805a67d52fb70328f6b2ddfe2d7945687ee5d623cc26

SHA512
75704252363928b619cd01a7af1303de40d8da8ac4e90edc7278f8bf262d21349eedf9e2e6d9eb38b337969761399dd141ff30ac49effe21f7254ae68abe2296

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
547d7b7590916da7f532a0c4cc6ffe2f

SHA1
2ac1cae7b09b6de81760d0e954c19f25a6844f8b

SHA256
e1247241e387c0f6499dc7d602755386518752476cb7d229463160da1a96780b

SHA512
ac16204d7ae1f203ed7d2e4781701d0e66b243374b1f8bb811c7025d01ed625e6c20434f33ddc6abf29fd703e369f2c6285b455c66f97b4097d2de8fa7741d05

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
d2b151233a1a6e0f04ee7eee8d6d34a2

SHA1
528d78e21eefccfae6eda05f5a535d175422771b

SHA256
0b2a065718d55b5acd7cf8374d54e231c14e90dfc0421c5a2ebcf9176c6ff9b9

SHA512
5dd17a9eca2d3ac6de86537a6f47ae5744ef53ee3efd81f1b977b5c69d223cc6e6e0cd3094ab5864a31ae917dbc0f17975f013f458d634cc5e6f51c2b0cbc344

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
3d9b7bd5246a648aba4da43cbc700459

SHA1
d86de60e022cff4e510af0057fe2d01a2e6d1d8b

SHA256
549d357587a4c09e1008da9eeba4a1e44d5163954f6183b9772b5745e673f4ae

SHA512
6ae148e50ac93706f3bdff9bf557925f3bae65080e04d20a58abd9aa005c7f1b55a7ad704ce02da50093c3d5fb70f8068734746075b4097db031adfa383a07e0

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
49e1bc761de1cd7781b093247695b9ed

SHA1
3b1715b739c4f4c60998f092ce3c2088d4b5ee59

SHA256
fecb545f5b41b0bcce9cab3c3894bbe3ab05905a95cf95a9730623cbe62ac9cd

SHA512
b7f418e99fd01f58f8ac5919f4fb60c4b8fd5d3c9ba080d759af13028fad02740c200224f637661ed06008519b3be8b34c1bf7130c262365670d1d692c665425

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
9aa46a1b0f8bde74f7560864811c8979

SHA1
c19ff34517774e611664604c9c5eac80cee72b6e

SHA256
6628ef21973b5ef51fe80de5efad81b8ea7952b3fdeacd64cdf80c247bc4e26d

SHA512
10855e7b588c4749201590146823c23c85e4f438a25afa0d896c50915f7e3d6b1d552459341a34843e3459008bca8586b03c7bac2f2a2476ef0abc474b382fb0

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
0185b6bb3b9d0909b32c854b463f8e85

SHA1
f25cb506c6011becfe14d79507a6dc2cabdd05be

SHA256
28cf289b0262ad4c26012e8961019bf7b83b28c4cbc7225de5b68d44d96fc740

SHA512
144755d7ce0e6be48f8c0211e396c9c9de43059f6c62ed6a34c390b2076f5d960f7e9a8308b0ba1dd3630da3b3f0a0e3502b323f62cce3ceb229514cf3c703ec

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
898efd4cdcc8e5132054c145a1e3055e

SHA1
9b588558624bb54b611a6930cd696b1395936d22

SHA256
ede1c44472ddff902da73fbe895996c859e3648eaf7d7dde2cae0ed7f71f8ab3

SHA512
54f1d6c93e1a79ec121daf28a29b36fa6705d070d90966b602c4882588b76329cc6e46f386b3b5374c1ac68f555a95d15e0cf41d8d198ca6d30fd263228c892a

Download Submit
\??\pipe\crashpad_4684_CUYLUXIMCVVDXSRV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/532-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/532-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/532-23-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/532-29-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/532-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1020-349-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1412-348-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2132-55-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2132-54-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2132-46-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2408-223-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2408-68-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2408-464-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2408-74-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2700-226-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2844-38-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2844-32-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2844-40-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2844-39-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2844-567-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2980-224-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3300-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3300-64-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3300-58-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3300-77-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3492-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3576-91-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3576-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3936-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3936-21-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3936-574-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3936-12-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3984-231-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4200-222-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4200-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4200-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4304-351-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4304-704-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4424-355-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4424-705-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4428-230-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4460-350-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4636-227-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4680-233-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4688-232-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4820-229-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4820-639-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4912-228-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4928-225-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5260-589-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5260-564-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5444-707-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5444-577-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5968-600-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5968-539-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6056-706-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6056-548-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download