6f2bad13b515ccce7f9ac39f8ed60918e0dec58a47cabec49d5350c5c90ac057

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
Size

5.5MB
MD5

d19d06c9139ba35750b8bffc40ead61d
SHA1

77b8de7964f20050ccc9d6f157682ad7b06c5d57
SHA256

6f2bad13b515ccce7f9ac39f8ed60918e0dec58a47cabec49d5350c5c90ac057
SHA512

372dea6d2c6eed2a2932bef8c210faa722584a22d24b62e3d91d858aff05f2252714baa7c28000b93fbc6359e03ee1658d0b423a6e3ce81afdc79d0dfc901417
SSDEEP

49152:jEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfx:/AI5pAdVJn9tbnR1VgBVm/69CEN6rV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
3552	alg.exe
3772	DiagnosticsHub.StandardCollector.Service.exe
4764	fxssvc.exe
1684	elevation_service.exe
428	elevation_service.exe
5876	maintenanceservice.exe
1824	msdtc.exe
5904	OSE.EXE
2108	PerceptionSimulationService.exe
4412	perfhost.exe
5680	locator.exe
912	SensorDataService.exe
1268	snmptrap.exe
688	spectrum.exe
1676	ssh-agent.exe
5152	TieringEngineService.exe
2172	AgentService.exe
2680	vds.exe
4352	vssvc.exe
3712	wbengine.exe
3692	WmiApSrv.exe
916	SearchIndexer.exe
2552	chrmstp.exe
1784	chrmstp.exe
4464	chrmstp.exe
3228	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exealg.exe2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\69b29c0092be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4B7946F8-973F-4AF9-AEA7-D50B80611631}\chrome_installer.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchIndexer.exechrome.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eaa97c4905aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005009604205aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003deafb4805aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f73054905aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d6b624205aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f987f94805aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005611034905aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exechrome.exe

pid	process
3624	chrome.exe
3624	chrome.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
1316	chrome.exe
1316	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3624 chrome.exe
3624 chrome.exe
3624 chrome.exe

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5864	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
Token: SeTakeOwnershipPrivilege	3728	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
Token: SeAuditPrivilege	4764	fxssvc.exe
Token: SeRestorePrivilege	5152	TieringEngineService.exe
Token: SeManageVolumePrivilege	5152	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2172	AgentService.exe
Token: SeBackupPrivilege	4352	vssvc.exe
Token: SeRestorePrivilege	4352	vssvc.exe
Token: SeAuditPrivilege	4352	vssvc.exe
Token: SeBackupPrivilege	3712	wbengine.exe
Token: SeRestorePrivilege	3712	wbengine.exe
Token: SeSecurityPrivilege	3712	wbengine.exe
Token: 33	916	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	916	SearchIndexer.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

3624 chrome.exe
3624 chrome.exe
3624 chrome.exe
4464 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exechrome.exe

description	pid	process	target process
PID 5864 wrote to memory of 3728	5864	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
PID 5864 wrote to memory of 3728	5864	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
PID 5864 wrote to memory of 3624	5864	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe	chrome.exe
PID 5864 wrote to memory of 3624	5864	2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe	chrome.exe
PID 3624 wrote to memory of 3652	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3652	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 5232	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2628	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2628	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 2864	3624	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5864

C:\Users\Admin\AppData\Local\Temp\2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_d19d06c9139ba35750b8bffc40ead61d_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2dc,0x2b0,0x2e0,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa67cfab58,0x7ffa67cfab68,0x7ffa67cfab78
3⤵
PID:3652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1916,i,5192294789017273258,12129859393611420782,131072 /prefetch:2
3⤵
PID:5232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1916,i,5192294789017273258,12129859393611420782,131072 /prefetch:8
3⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1916,i,5192294789017273258,12129859393611420782,131072 /prefetch:8
3⤵
PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1916,i,5192294789017273258,12129859393611420782,131072 /prefetch:1
3⤵
PID:4032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1916,i,5192294789017273258,12129859393611420782,131072 /prefetch:1
3⤵
PID:2376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4084 --field-trial-handle=1916,i,5192294789017273258,12129859393611420782,131072 /prefetch:1
3⤵
PID:5168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3996 --field-trial-handle=1916,i,5192294789017273258,12129859393611420782,131072 /prefetch:8
3⤵
PID:5476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1916,i,5192294789017273258,12129859393611420782,131072 /prefetch:8
3⤵
PID:4960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1916,i,5192294789017273258,12129859393611420782,131072 /prefetch:8
3⤵
PID:2784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1916,i,5192294789017273258,12129859393611420782,131072 /prefetch:8
3⤵
PID:2428

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:2552

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x278,0x260,0x274,0x25c,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:1784

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4464

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:3228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4200 --field-trial-handle=1916,i,5192294789017273258,12129859393611420782,131072 /prefetch:8
3⤵
PID:1176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1916,i,5192294789017273258,12129859393611420782,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1316

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3552

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5916

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:428

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5876

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1824

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5904

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5680

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:912

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1268

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:688

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5144

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5152

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3692

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3732

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
44e1c26b4a911c6d1070a5d417d072f8

SHA1
73d8845111f20f14a52c0f86adc87fc4dc0c77e7

SHA256
bebb3cdcf274013db08fe02cfbfc663bb6afd3507904ba640ca237f214f61748

SHA512
d8b08449f1f0966dca333e0222191575daff1eb4fa7e848b80f6d101d70e671e23b160e6a3e8a005bc66578f3eae276c77918c6dc0355dd2a60c3b5f61911340

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
2bc4b3e22467e273ba3030777d0a6c86

SHA1
b99b85f10a193bcc741727cdb72153df6c49b5f4

SHA256
0c6f107d607c9fabbb6480e7cc4435dc3534e551f7e7bada21d9290f3137c0d4

SHA512
32499c0b0cc6c5edc93f547b348a7c618d41617d8a702e67f824a6c22888c3789e34d62e605ff011600e8b6a810c55ad03e6453537a5cea43455b0e16a6c9a88

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
75bd14f725b5c1560c05f10c1940e351

SHA1
69c3d9eede35f8effa5b286bc3e920402c2a9fba

SHA256
10e3eea4d200558efb761c0857bbd6823545b3ebc2f701a1e4b05b2a3bf24a76

SHA512
52b961223d7a4624af92b5689bff8ed150969d795858f04ce983d6a57dd0046db7f7220ccd0a5983a744155741ffc2f4d5a92557bcb2e6b302291ea747468399

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
277a573253ebac57de78439471fe2b0e

SHA1
d603b6f3d806e5a073eecd0d514a580b7deb71b1

SHA256
5c0e6b423924ef21f8a0e4a772e659de2ecc5aa82b50812cc101bad866f544fe

SHA512
da7529ab30e94c32675055449c1be801fb5e23dcd53ba7f4ce6501f13d34ceb9263e8082386b9082a0e008af9af11d93b8fc81f5a899cb325543ef6d1dca0821

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
3ef7ae79c3f9274164709a920b367caf

SHA1
cf6819e644c83daace1e3fb9f2f0b2c020db216e

SHA256
a2d61a26d9019004792f871ff7b3250919639e5614e7b0a6074499e4b39a8809

SHA512
32a50fa0ffee2f36dfe61b57dff1e8d0d3e15559c3b08be72477c1b083535e62bf5a1e6db552ce82cea60b6ab1d7269388b944c5f58a5cdb398e1086aff523a5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
5dd5c163175f4a22bab2045922f75dbd

SHA1
4b785fa0d759e79f26cdf3a7ca74278ef7b23a47

SHA256
f48f261b02919af19964d6661aa98087dfd710cfd9e47796bd9620a1af700ac4

SHA512
d4d874a293b446f8d1cea3f62d97354c03fecb0a83ccaee363a2ceacb33c49749afa52b51dfe811d71dbc9581683933dc68507418690279e56026afdc5896bc9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
710ab643a36b2ce3160f9462ff77bc36

SHA1
8f6a9834766e3581da0db213e24c2bdcff2910cf

SHA256
441a3c7ddaff73b7316d4eb32c3e59853d9639f595356e71ec79bced90a3b6bb

SHA512
861a91fd08f15f5752468c2e2c662db11a5ee5d29507d179e0ea11a660db695583656447d7dd616f04d3e8f81a4b4b350c37554e9313946683931c0f781838ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
f14b96c7112dafe5ae477713fcf68e78

SHA1
0a0420620193117988f614df8cbdfb388bb5ab29

SHA256
17a30e9dff90973dacadc36d660b8b042c5ce914c88308aa1b7f74487e63fb40

SHA512
7f47a1141df2101f4d15a19f2342ad6e5ec74e0162ed712d21783e3144f8c8e5f306befc7bf74c51d05af0ec0bc359dc79cf5a6a48594bbefa9da9f94d7c10a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
69bd6e1f87ce5b40d8f1bc094a6c0f13

SHA1
5c0538311a5ae4f7c2aa01de0cea8f2382cf6f30

SHA256
126f6ae7a1a6c2e6961fa416952f73436e86f955014b44c930f67b47d9a1b2e7

SHA512
d3ce9eaa2bedca7050d3ec4c6cdf43aa7ed6c8d2d4777454ab876f4c1606d5cc32f41fbf437319c3050a044e99cf0db0e897141e366b770955fa3e3e73340f14

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
19c452718da54b85ed2b190815ea76a3

SHA1
96205bfc3f1ba8f5f5f3e78caa50c4b4aaf7b153

SHA256
bc4ce614c3993551e2484705b19581cc3724ccee3bc42183d211af1cff3e3b69

SHA512
8e992fe62be4678c0bae23cbbbc30cdcda55797a9059fb75684e4f7aba92d0a106c4e7c1d0a57d361e49c3d3e8523bfb6f61ed75a9f1609fe7c36c257414fe96

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
544a69b86bc5df365645e2bb6af99555

SHA1
5086238c45b4fdf1127ea70ce3ebaf9356660fd8

SHA256
7b1b81d4d785853484d2874ec0037531f7f1d043bea783776c1b99c65a790243

SHA512
dd371eb9f294938f8e696dc8d6e7a4099cdb75c9c35597823db7c1d98d79483f884262558ddf0a1cb4956f2db0b4b8bc0329d65429ab12e39d90be13e4b533c7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
e6a051cb85b091b0bc6df33c711e129d

SHA1
096f36eba4be4b80e79a77e1e301e7f9ba2c052c

SHA256
cca47e444738e7c5d16036bccae5639600ee3f71d8b72a6460ccd90856b793ef

SHA512
0b122556d94028c46eb10f374adf84ef05e63eb00abae9e21cc5f5b82614de6970a27abd3de5ae41be740f811437d596c63444e7d0600e864c4c660fb7f6492f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
f25d851eac344c26e3b12c70ec993145

SHA1
b55c5d25f7bd7aa8c1d3d1df17ff11203e56784c

SHA256
823b4f6919c782aeb3121aeabaddd53779a7da53eeef21eb664db61e904ef181

SHA512
926941c394a4cf0f229327cb681bbf31ded4b001f39adffa70aaa63abb43711d97105caade097cb2ce3a8b9c5fc635283b743da58ba401ac286a9be291d9b437

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
5509c508e4dd4f652ce3661d65ca9063

SHA1
782a930ba47807f3a035a761904ca696057e8f00

SHA256
c34bbb13759c343145e980737dbee1188f4822e1cb3f3e2bbf02d228aad55b8f

SHA512
8a883f503b26d649780abe24441d086f68edfeadb8c5d026467a1c43e83a8940bcb34fb186b78549bdd2caee8cbc812d981a7bd1673350e6477661198e5a021f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
0c42410969d4b82239b85a51c19d1bc7

SHA1
9e75c509479a7d77ebc48d7912b416d06dbe5b22

SHA256
b4ecc65aa56b549864e3f10d0e402c1c67ef6c845e80318cf689a8c8ad1d66af

SHA512
17c93669da9bd6d97cc1abdca366557663ffed51c2dcf16cb83727d4fd3d980c17d69a8acdeefee9ed78a3db4a3dec923d70a30e6e7fb3d408c20e26775a62c1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
2f46cb0919b8c4cef3dfaadefa0ba8e4

SHA1
5c3d87df3bec9707880c9c3f5911bcd000860a30

SHA256
55379528219810762012a075462b1c2630d411f65802d7358bbb5e011b69ab98

SHA512
5d924132cca972fed14eedd9274d9cbd21ebff28462e748b0878997cabe4f29933e88afb8a351d9ff9a98c06568a2a486ea15655fbb173384b596164f8326f97

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\924f5faf-594f-457b-9a45-ed7a812d40be.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
eaaa0d17f860502c2cb78f9d884bb76f

SHA1
1ed59d25dde7a88e815b0ec586e7c64742c37a74

SHA256
f0f4300cc9475834e56d6bda8b014cf638f7a1fa36c5952de7a1105118637ce6

SHA512
fc77464345c4523affbb6ba1ad8c37361c9b42bef7ec4e9935e26605719ae1db0899e4ae23615161805d86841ddf70b4b9beb4d188f4db9a444e793bb7214f32

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
618d68a382ae5c7b6284d180a81aaeb1

SHA1
2ea60f8e6f16aeb93848f11ad032721be1881309

SHA256
5cc983a4480ed3c2f6d32cb74ac1b26598ac9586546fc51438eb8654f5c22dc6

SHA512
9cad2dab614f4d74c8b4494f7250742d5100375fa41df164e8c4bbb2357046161701c8601d4c426199751c6209a2f9c3c35747740ea860699d472cece7a25a22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
6123155f7b8a202460ac1407e231fbf4

SHA1
13121f6000a380f6621bcb8dc7c83f9cd10ab626

SHA256
dc3766fd1d9f14e305d5483a9e886548c3ff3ad2d8497e26a04c6d8c31e7be6c

SHA512
ef2e48a3517f58cf068d2ed9e202ba4d2a54afdccd4937c74b5c84d5c4fd47d9b92ddcf3b842a102b426dccae53ab3bc9e571a5cf27cb315be4dc58bdaad34cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
a39e52638428a5cf0e6f0a59e9888639

SHA1
fe33d12f4688757237cf534d3925df6d839618ad

SHA256
be51c07cf4235d873f25cecb4850723d0ca5024ba484452ddadc510e2866fcb7

SHA512
8259b55297e1393392beaba3bb5c534ccc5c83c9a5e2cb1a150dd2e8232062993da8e6848e3313afe00d11a11281b7d504b1d3a70783edd6725c0de76630983e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
fc9e996a426894b05642765b916cbbd1

SHA1
be6392d9d9e8016dba13853f1a9658ce18ae06e0

SHA256
a56d5b39abd1369fd257d69b4523675a33349d424c67282aac5906b96f97bcd5

SHA512
319d58f1ec002ae4b4381a35da44411924422aeb6891bb19ab743f265d30d7350ef7b2ea52c635b0159dd6e12db44e922fb1b36aede5b9897036b3cdd599d2e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
8bac79a150b5fd47e47eacef62db0e0a

SHA1
ae2e8c69cbbe0abaffab12faa7f8d67f437c277f

SHA256
ef4deeb3a64dd00ffff4643a3ad8d5c5afec1a5cbc1f8d877843fecc482fe098

SHA512
7b56f22b21d829a55d5134c4e96979e2b27e869a39595fac1eff5ad4c312ebc8bd6340d234cf218cec34f1b07ef01ee286fba7356a6487e7fdd6e3e4047f61fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576736.TMP
Filesize
2KB

MD5
80c9ece824708be3255fd46fed4fa84b

SHA1
6ab10396c88f4760224c2820d198207c54f01266

SHA256
1f8af8464e8755fd26db7cc2bf44b59934126100a43b00a66da96ef4bac4e336

SHA512
c8e8c5ce9c0607264264ceb4ccddc869543fc5b9d3929ad42904cefd147938d6523ee61e5ed2f6f46fba1e6c92f8b6dc14300f4c6c7cfb295fe3274677d9ae2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
572f36da51f290f3846cdef3674e1c75

SHA1
3fdfc6188cc9ac6f3e6831721711ad9d96e80a07

SHA256
f32b9de071d030d87da105e2f40dd9fc02a3982d02e6c21277b42854e7b058a8

SHA512
ac1e3ace58abe2283c6875d45f4c70f0d51129ad4ee432a944f36549b67dfc88a2b26bfae8a3a701147371c1636c7b6f2de1e67bfa1a9a9cf370b8afd0862919

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
49aac92df2266608e486a4962ae61286

SHA1
a41fd253a02e24febe640b3300a181adc18b2c7d

SHA256
2cba3ffcc4d6b691860adc5f2116dbccc51211e1ad4b69f1e5b909fed86169d4

SHA512
6175a8957067e67688846e5950563c4d0973358d2d3f8fe0df29ce8c44eaed5464305c7abb56f2f2823690d9e7093ce4296fc39fcfd79a897538830b73a615a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
ff6c4f8fdab0176472bfb5c52a6d43d8

SHA1
138f59c900f4c4a9e0c853858623c4faaff67561

SHA256
3337a35ae09d582e80c4d4f9d32a90316a162a3d89cbcee92875c8b67f1b4dde

SHA512
0f369d80814f7fc1e058ffe5947b8919ba628a6f06247dfcb148b534b336f49cbc352f706e5763e03dc46b0589445ca5c27b6f84fe475c9b744aac805d86207d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
dbe44af5bcc1df0e67d04734c3f1bbb2

SHA1
7027244891101056f87443d475bd1b023e6b8feb

SHA256
530004e9a9c122c18de09a75da3bb870f732dcfe170f80eab72d955df5a4515f

SHA512
fce668c7d4d160546c18533e69b64efafc15eafa7b59d8045950df78e7e44b5000f1cb31aeaca92c493653dc07d0a274fba8d6accd49e4a0cc48177890d4fc5b

Download Submit
C:\Users\Admin\AppData\Roaming\69b29c0092be0f3e.bin
Filesize
12KB

MD5
30d47d44aaf90f95b7446b89d6419642

SHA1
fc2afb3a1f8f3ee29a21eda4156a6b0a3335b330

SHA256
98e13a620759f84913d65532fe1da3b1dbd6982e3c67fe4060f99c2708a5d889

SHA512
fe88b5bc5810be4455bffcaa1bdcb42d0a8a43704512aad8b6dd26960f6a71b369744c3b4ca618f6f7e93d8dfc00de0614f2dc481562f8eea20349420fe3df8a

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
f8b3b7d7b047442002072e5b1ddf4842

SHA1
eaac15bae9360f44580b86ba251683c7473d33cc

SHA256
8691b4259d56ec87811f6124c17beb9c32075e4a917d30bb2eb7c800a4de9b2d

SHA512
6ad35a8e95a54bff847e6b84df238c76aa0353744e120f544ae1a83d7913eb5b38530f1299ed8e0604c5da5c3901fce95ba519fe170cd96107ba9ca1ff5d2aaa

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
a9302b055245d523c24990140778b30f

SHA1
38150d2c35708999819d8a180421b9fabf5a4753

SHA256
7f405d79d6d935d287996f34bdce66c218f4ca10fcc7df4a3cdf498ca1d18c69

SHA512
00e1b177dfba421997abf50985e05287d70865b8ddbbb977c575e9ef8e93ea6858b06751c66c50a178aa2dba9ae235b9c6d114fabcc0677ba7b11fc73587e971

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
cb74c24130813d43b48b8f6974a85909

SHA1
3e254e5154c41446a1ea063e0498d45e39570d1d

SHA256
c29c11f59299e12e8c0c6a4c7350f94eab745717c5be2453874ecde88d97d4a7

SHA512
bc42dd15f699557220a1fd66243d5f6b443d2cb0da2f69a61d245e5eb202b35145d7827b31ad5bbcb0c3135300506daede41d83b6f203e650806b6dd944ec459

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
d2162a13a611fd4227b287e5f132bd28

SHA1
4bd15d05eb006be3900a9badc7d4a24d1828e992

SHA256
7975431ab429c0c5018689e6170fe608f5be3ebd6dd978363615d79fffc8c9a5

SHA512
97e2b2705fb818d82c2e5b17610e81a020c95045f4d49ef74b08f78ea7198fe01cf6b4e6272ef46b8196a925aead37d827aef47d4b0feb77ff63624780cc7720

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
cd87aca8118baeeb334315f2c181bb5c

SHA1
468406ceb961d122438a264e8315e6c8728b7133

SHA256
8b31291e0bc6349751636f0545378c0aebf778e51c4cd0c6f2c0cb37b9f2a1bd

SHA512
e17777d55f041b08d7e23551250c27eead1e6530aa21d0790d657d8943de2ff2430d0724b96b6f531c548b890f20cd397ba572fbc95ced3f3b27a81ddd8a6702

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
d3bf222bc14b010495304c014e9f0ce1

SHA1
87c313c799aa680be9e017d45417afa02efea196

SHA256
9ecff21bb2d2326aaa6dfd0d75ef3314c5ee91cbb90b6da0035252e4957cb9e8

SHA512
7e534dabdce45d4a00fe13852763d8b5e673f8be7ea14432ec06c2d934ca13e3bbd28a09347d51483ba509cad2a61dacf0c7f4d231d1c7d80c6e8545b537826d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
f6f4daab8e7e0e9bd6d1f12e6c881c2e

SHA1
9e8454e878835411d7bd5f00008a155aac24d658

SHA256
47d90f09d5ee5371b2e3b596d7e4cbdd69a27b49ad07864f59ef9d9dd5ec2e1c

SHA512
33f39e2d32df72bce2243a8798b24adb9fa3ed4caa1366afe34a11f62ec2e695b692d71d1e6c6c3f2d10d9d80e2b2d0c9dabe87dae28f58c78045b96fc2d8245

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
97e61e9142357989b22b5bda4c35db96

SHA1
6c6a6cd5cb1a4336223e35478ace9ed03a18cabd

SHA256
9f8d07c738d4938df8287a40ac3857685eb33843b5713840e581a3a3689f15a5

SHA512
5b804e39776bdf1a5bc6161bfd26e61d7581f3ef8d29bf93f33f3d394a3f301896f6b05549dc057af52b3488a2781db8abe0a1bc6269b65951d9b3ed444d1a25

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
d808ffb2e790c8985b77e07e2ee25a88

SHA1
d80d7a78fd7f5feb88c78a7eeb5971d61c070853

SHA256
326d345cd2319f1037ba27c0d6d88932212de509335567321de3abcd36d9eef3

SHA512
a71b91ff5466789072fcdf667338046da2d45e1c73488266c3b1435d467aa328f1f3481827999312bbf9a55c22a9fc84831b955eb95e538b369a99916e17825d

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
b1012b82b17722743708c4dd5c4d0532

SHA1
61b3b2076703e31259054629981d9408674f0eba

SHA256
33b584a6ec34c3fc18a4358bfbd8d9ba10ff638184226597d6387b758d844a27

SHA512
6363ff792827c626c46f2c82d80513ebf2aef261c2e34d438f3704413ea9a11a891e2ace8cbea2ce5758899b1499f8e622d860d830e6b53c8a66eb0f0c695b43

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
e1fa30faaeb36b10fa09ee998bf3a7b4

SHA1
d1fce8246eef9075392c776c90db1a5d714baa79

SHA256
ef98c3fe9776abc22f4721df536de76c558aea633b65168c5743501e824d9890

SHA512
adfeeb2f6e89f5d2106c67284ef6eab3a6f4840c96350195b16909aaf32d29f81ed00b0e7d8c4bdef83344ea6d21679f94f36e02d8f1633ebad3e6a3fab590e9

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
6e11a49627c80e40953d25fd37ad34d8

SHA1
bf2d6a55a6ad0776c18825d0af2e1c374a6260be

SHA256
85f4492a95b5ca4f54457de298777297d208045e8f58454b7f6e16829c92ec46

SHA512
1305ea5779dd9af7a4ed95f8d7760ab52f2cc1d712c1a39ab77b8c344ded90e80969e5e1501268c52855a06c6cbff1bcce75870e9ce2ef5f1a89c5eae17fe64e

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
7353f5013319fae6e0e9b7b2d391e7ab

SHA1
a5f10f72a1ee2f0df2b834c0d444cc4ca167d287

SHA256
351bd274c8bb0add667d5767b59d5fe3cb211a6a6c3ddd00efd65f129a2186f0

SHA512
7f030d03d655266e3692e390065304e26273ed475be40c6389fd1d1a7652323f40b05b30ae8614252d8c9ba9d78c16fdc9b5d945ad9a27a70f8d5b5f81bc871f

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
af86bb0e218a376157a4d520ca9fbd95

SHA1
16ce9112e5fffdae4f10300b5f66f7f861e6aa9e

SHA256
5d25d0e4f419cc58fa21d97aeab463ef3bd9456e2e45036ffd23b354cdf08fe1

SHA512
c0039c1f6cf60e0a070537d6f183e8123bf9ef963d34bd2ed6a7651ed0522b7cf344251bd0f77adca490496ee1694d0d6ac87587514cb02f42be905a8990efda

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
914c3e01a89b92449e1c6b4ab4005fa8

SHA1
f2881bcad4563a72758e7243ac5da66678b314af

SHA256
a666d06dce78d1bf151cf7356c3cce0332e148bef93f0a7a338a43a7a2c945a3

SHA512
bbff5199c9decc7398cc80ebba5fc1a3a3541b0bdf7042cec166b352c7b2c94658f39d2bc5a1cb34ab3a0149084e333f886cba61085cffd317109ad7c28fc299

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
62e27c31ddd05d308d73078755097519

SHA1
a059555ec5f40fbc47b345d909c4a0e4e61f98d8

SHA256
26a581e67e923c4754ee46d07a044247cec7eb996a5bd2c4cc9d8a5a0fd23480

SHA512
8f4b0087704d255c71d3fd1e221b6b449064bfee5511ee7a271acdc6b068af3b76724a714a0a9c9aa27493970f19a67897b7c4446f6933514cdd435592729921

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
26b9c2c4714121cd050ea802403b13f8

SHA1
b06229af7a99d26efa1a1f0c91d9407793db9988

SHA256
cc6123c8c58acaf6e2dc5d821ab4f5fdbe830040d9fff93594e966849b514d5c

SHA512
b816bb99748d1d888ba0e7cfbb0c08c3ec8eaf8e8f1b51404c102a34c32c238552115a66043fc40c4ce8cebc06a7cb6ca547fcb6ab544b602088ca5584a909c9

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
34eb19c2bffadd400627ac051d7ae787

SHA1
20e52bd6e1bbbd9845d7bc64b62aa6735a8477ad

SHA256
6515c051c16b914c847f86c044aa74c8a766519b59b20b4c11e183e639841d34

SHA512
7be8095c6b0aa7f643d5ed68af497057f2ed56ca4d2553634204c87c63f8a0f15e6373eae323a4716b65287971fc0034737f7b19bd434df96d7e0af6d3aa8c54

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
f8da1e3912337378c0f722f616cf6aaf

SHA1
22482c3e69a3b76d24d4e88d30e345654afd0338

SHA256
342768ee193e599905624366abf160660028ba384d57ae4da8734bc9473b010b

SHA512
b72adac4dc3ef8cd0c1275eaf376da652f8aa271a162aac1a54571f6f93c0e5fe9fec69a9cf380f84fa3ce438f06e3c9c2493a1d422f5d1bf4c46d6962ca9f47

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
d54d4519eacbe5c5c10c7f1683f215d6

SHA1
3cd815308cb4b8fe5b03eee80073faaade64b54c

SHA256
0fd045ccd7ed7a1becdd2499b99ba645a9491033bc20d26bbbf3868301a54ebc

SHA512
6d12562566502643e1ef77959494516f88779c55d0de1d028e507581e8566458db1893a3eba660179bc3dc698f18f85e49a3229312b3a34b628b905508351849

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
f484f1cbbbdada462a451c6638217a05

SHA1
5be9e6dd898d83f44752b22b1b3682a0694826a4

SHA256
155723e34aa428dbdf6609ab3599911cd58a79911954e5a12794e254d2e99b0f

SHA512
8c5474638622b26b8eff3d47bb8f65546c268d5a0414bf37825c8ced0f8081b9f41650d5a94f5f151e0001170aa87d34d82f10af070c009ff3113eba62b0ff91

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
69fb8da7955716271c6011b174f25cd5

SHA1
893e293095bfd1a929cc607efc90abb2da01ae42

SHA256
22d61e028c1d8df002380453f50f6f2eaa5a6b23bf516b932f9dcc7a780e5abe

SHA512
fc0bfa6b5d6c3db5c144b5ad159c063c8527f19fbe1a536b5e9dd516d47b84704208cf862442d96f3e0e14ebb7c15f17fd183311855dacc3fb6284500dcd17a7

Download Submit
\??\pipe\crashpad_3624_XZTOBIHASAUQCRNI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/428-629-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/428-88-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/428-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/428-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/688-315-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/912-312-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/912-575-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/916-324-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/916-713-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1268-314-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1676-316-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1684-89-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1684-72-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1684-387-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1684-66-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1784-714-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1784-534-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1824-306-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2108-308-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2172-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2552-596-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2552-533-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2680-318-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3228-561-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3228-715-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3552-34-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/3552-32-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/3552-26-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/3552-35-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3552-614-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3692-322-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3692-712-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3712-321-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3728-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3728-10-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/3728-16-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/3728-558-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3772-50-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3772-44-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3772-52-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4352-320-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4412-309-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4464-559-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4464-584-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4764-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4764-55-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4764-61-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4764-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4764-75-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/5152-317-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5680-310-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5864-39-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5864-20-0x00000000021E0000-0x0000000002240000-memory.dmp

Filesize
384KB

Download
memory/5864-18-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5864-0-0x00000000021E0000-0x0000000002240000-memory.dmp

Filesize
384KB

Download
memory/5864-6-0x00000000021E0000-0x0000000002240000-memory.dmp

Filesize
384KB

Download
memory/5876-92-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/5876-104-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5904-307-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download