65c457413f0733103a33526ddc6917ca7d94efad0eefbd6dabca737d190f5420

Analysis

max time kernel
122s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
Size

5.5MB
MD5

3df27934ed33d40df91aa489c0fad968
SHA1

6add1cd51d63b56111d321aaddea4630f0cc5fcd
SHA256

65c457413f0733103a33526ddc6917ca7d94efad0eefbd6dabca737d190f5420
SHA512

7ea5567295810db6069e1cb644bbf8f3938c5fa72bbe451dc604fc1f307a0bb0095cabb4b2943b00b6490212a0450ce22f81abd12386a79c98577e1d29156d84
SSDEEP

49152:uEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfh:0AI5pAdVJn9tbnR1VgBVmSEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4444	alg.exe
4592	DiagnosticsHub.StandardCollector.Service.exe
1244	fxssvc.exe
1228	elevation_service.exe
3040	elevation_service.exe
3340	maintenanceservice.exe
1104	msdtc.exe
1000	OSE.EXE
1564	PerceptionSimulationService.exe
1964	perfhost.exe
2976	locator.exe
2252	SensorDataService.exe
2148	snmptrap.exe
4944	spectrum.exe
4080	ssh-agent.exe
3088	TieringEngineService.exe
2464	AgentService.exe
1348	vds.exe
1320	vssvc.exe
1860	wbengine.exe
3468	WmiApSrv.exe
2396	SearchIndexer.exe
5320	chrmstp.exe
5420	chrmstp.exe
5780	chrmstp.exe
5688	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c547dceec3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099e4b3e61caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007782b1e61caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec184ae71caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b86739e71caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9a153e71caeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b995a5e61caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd0b9ce61caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000211769e71caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

chrome.exe2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exechrome.exe

pid	process
5100	chrome.exe
5100	chrome.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
5100	chrome.exe
5100	chrome.exe
4980	chrome.exe
4980	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

5100 chrome.exe
5100 chrome.exe
5100 chrome.exe

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exechrome.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3456	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
Token: SeTakeOwnershipPrivilege	2052	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
Token: SeAuditPrivilege	1244	fxssvc.exe
Token: SeRestorePrivilege	3088	TieringEngineService.exe
Token: SeManageVolumePrivilege	3088	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2464	AgentService.exe
Token: SeBackupPrivilege	1320	vssvc.exe
Token: SeRestorePrivilege	1320	vssvc.exe
Token: SeAuditPrivilege	1320	vssvc.exe
Token: SeBackupPrivilege	1860	wbengine.exe
Token: SeRestorePrivilege	1860	wbengine.exe
Token: SeSecurityPrivilege	1860	wbengine.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: 33	2396	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2396	SearchIndexer.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

5100 chrome.exe
5100 chrome.exe
5100 chrome.exe
5780 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exechrome.exe

description	pid	process	target process
PID 3456 wrote to memory of 2052	3456	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
PID 3456 wrote to memory of 2052	3456	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
PID 3456 wrote to memory of 5100	3456	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe	chrome.exe
PID 3456 wrote to memory of 5100	3456	2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe	chrome.exe
PID 5100 wrote to memory of 3388	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3388	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 3752	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 1168	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 1168	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe
PID 5100 wrote to memory of 4172	5100	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456

C:\Users\Admin\AppData\Local\Temp\2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_3df27934ed33d40df91aa489c0fad968_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2dc,0x2a8,0x2e0,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5c7cab58,0x7ffe5c7cab68,0x7ffe5c7cab78
3⤵
PID:3388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1920,i,13557737832298367788,10334908985529280506,131072 /prefetch:2
3⤵
PID:3752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1920,i,13557737832298367788,10334908985529280506,131072 /prefetch:8
3⤵
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2060 --field-trial-handle=1920,i,13557737832298367788,10334908985529280506,131072 /prefetch:8
3⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1920,i,13557737832298367788,10334908985529280506,131072 /prefetch:1
3⤵
PID:2944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1920,i,13557737832298367788,10334908985529280506,131072 /prefetch:1
3⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3608 --field-trial-handle=1920,i,13557737832298367788,10334908985529280506,131072 /prefetch:1
3⤵
PID:5552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3936 --field-trial-handle=1920,i,13557737832298367788,10334908985529280506,131072 /prefetch:8
3⤵
PID:5592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1920,i,13557737832298367788,10334908985529280506,131072 /prefetch:8
3⤵
PID:5636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4824 --field-trial-handle=1920,i,13557737832298367788,10334908985529280506,131072 /prefetch:8
3⤵
PID:5800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1920,i,13557737832298367788,10334908985529280506,131072 /prefetch:8
3⤵
PID:6088

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5320

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5420

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5780

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x274,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1920,i,13557737832298367788,10334908985529280506,131072 /prefetch:8
3⤵
PID:5444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1920,i,13557737832298367788,10334908985529280506,131072 /prefetch:8
3⤵
PID:6816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1920,i,13557737832298367788,10334908985529280506,131072 /prefetch:8
3⤵
PID:6824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1920,i,13557737832298367788,10334908985529280506,131072 /prefetch:8
3⤵
PID:6920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=940 --field-trial-handle=1920,i,13557737832298367788,10334908985529280506,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4980

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4444

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2956

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1228

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3040

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3340

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1104

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1000

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1964

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2252

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2148

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4944

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4504

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1348

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3468

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5648

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
2⤵
- Modifies data under HKEY_USERS
PID:5976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
09378d6b0db820775618c78725958fa3

SHA1
b32661cbfd7873f07f08a92acca51bbe0ca4e20b

SHA256
125acaff1140dbfdcc6c9746c81ef9193e4e12699355c9bd05944237a3833fc4

SHA512
6ef40da75b6a515e645cc7f04e216e62c43712bd48e73d2bc5136aa6d243083457bf474e5e4065b9c9e2e1352758d60eff8f1b9b610897529f1290ad7553e13e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
b2366d44311fa785e84a94a9c03bd415

SHA1
4e381784bbf6ec47aa6a1872a29ce897c99fe429

SHA256
18541eaf19fa5f1c54ff0005b3d6569ff6fa8fec8092212ae52a9aa1747adc32

SHA512
0e2c69dfe3e81da6d0f2bc19ec69aa25d4485ebb3f50c866b1817312c4e47199768475ca8a66653da772851a1bdb93a82c5a4d7232b1bd83db8727f568640769

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
c3094714d1d5b3ad9db43b77324d7bef

SHA1
21cda11f808730d051912fcc321bf21f8e4e88fe

SHA256
e7776dcd0ec88031e158711d984564882c4293f0d4e91173a52a0e89d4d2fa5e

SHA512
6559ff14cb58ad3d5f40ed2a76103c466a323c82776eae6140401954e52e5c5c127dd0a2033a53762f3329cf3f021309d50a479966994912a60425f2ceac4b4d

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
7cb59e64ed92a0cb762b3fdace84f82d

SHA1
a03176211c2e6c61eaba3049d8d06c05ae80d530

SHA256
fe042577290103fbb7c572e6ac7eb930cef7e8c5dbebbe16353022f66008e43b

SHA512
adc6df7cc96b80cebbf7391506187dbc5ae02a2e4e618fbe315eb7ddaf8a6b0cf57a15995561d76dee3b25ebcde2457ef1f7d47267fc57bbb75275dc051cdcf7

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
42da3c56f854875cb18e6e8dc0f75689

SHA1
72b39af8927e68437366433c4071700c33355de2

SHA256
684b793b9375c72b1b1d9642603570073921a2be88459c41d6feb3c54bb187e4

SHA512
651f758febcd1f8e0c683f9fde8834295ab1def0717f8710eaf34642a9b1f409cb6e554d6cb32af4f4e5114ceeb33ee6ed8d905362f7451a286b1f0670632f0d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
1b0c504d3df21aae8bd224c340a49025

SHA1
7b4edd98fe49eb20cff6ea0bc5efeabc40a3e81e

SHA256
2274ed147737f69a2b6fbc48014db82314191ceade7eb17b699cda784b78b94b

SHA512
86fde72d8d2a7133590f66cc8e6f587edb2014734f22ffca538b0b52db8921eed17b072420ab6a9e21265f158daeaa9dced3270016dc9ccffe81540013d47458

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
9127468c9793fa50d6087f149d8aa9b9

SHA1
e8d029511f5f8be12eb5d244d69f67b20f1556d9

SHA256
80682d65f3d6da241d27681bbb0c0c7944255b6ffe3faaedcfe23f0e86818338

SHA512
4f64f03cef4b9a7935f550c4fc238193aba30f8360bcfca5f0c62af96c066e05616cc17ac1c0b3195d298978712257acfcb99e0276a42a795f8b153f7cd26c8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
9d8a17a99ea5135205e3f0b520f86900

SHA1
9e6c866655f902a95a65a8c3850d0b80923f8f7b

SHA256
f222d2b1c17180fee924607443c3d7582c85e08663b2d1dd34b82b591d1bc622

SHA512
e8b041c0027780260f1243ac01a7f43a15357a482d93b7dbdd6a443dcc1cb1ce931fa414f643cf497daa69718784a229a5ead8ed9f35b328ea83794dd3be58ff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
bc229d1133a9e9f1de397f7440ad63bf

SHA1
fcbec944e714d25f22374f7c4b638ebc635f896c

SHA256
71bb047203f149a6a1271260c6fe6cb476d0776e0d0341414917391b041a9ea9

SHA512
1a9fa21ec59d88eaa0f92808f5460b125c3c9cf32c314f969eb9f36b5890967e8114997631a7552182b91abb9c11e6b10acbe656036ae6fc81e615465234e7b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
e0608744d660cf6352150e7ebda86488

SHA1
3737e8547028b0b89aa68c3d07262c2707aaa5d9

SHA256
9ee033850b9f99afaf6afb8b15b1fa4678d579177192ee01ba1990d56c34ac21

SHA512
acf156805a4105c7466b2dc7d3215d97fcc0f7a0b6e8e82786bc0264d80fb133e8a16dfabb1a965f5a290055193fbafcccc653a8522ff590649aba1a2e63fcf7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
a9de48dd9a4c146c20bf26571b8fc0ff

SHA1
87f6cd73438cbca01ad590826cffc0dc32a595f0

SHA256
73d292fb67513d858897fdca75fd927673f3dc36ab211b5d25ca84552672573d

SHA512
f1f3e153c741c100cda31a8c1693564da6976486bda7184b82fb0b861524387c868102805ebcbc738fb7d46d485ea96679bffd681bdaef4310a2f777144944ec

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
6ad1c90897c9c5d857cabf26c613cecf

SHA1
4cf2832342e6698eed9481c97830eb4e33be4256

SHA256
97828905aed6cc1db0dd6738031131fb12ba6ff6aac3b80f35ddc284c1b7a420

SHA512
986af06f4e77aa6e83fcc7f643eefc59d7258a2fccd7309d8daab0eb1a708426223964485230bcbcc34345da2ccba80538d8a2e8c1c6c134b596cca9f9d8cc7d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
b9a61dc12d72b28142f766dbde827f2c

SHA1
ebca8e6b08d8dc86d950bd88e934459f7f749222

SHA256
72334fd8233d631541793fd027232b92be89bf57a50ed10cab5bbd2ee5800aca

SHA512
361f6c6a6c8832b80c66403710bfc717e8fc6d93a6a2008ae2a7d5dfe90a33978f9d924aaddb32e400800dac40b9948fdd6c765f5a4ece81d56f1577eec68d4f

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\63d42f77-a8d1-4db7-b470-d3bf407b3a94.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
e36e48532e1c499c7a08e1fe10020008

SHA1
f180c7a6ef22d8ddb0373ed93c227daa47579bc8

SHA256
d949d229e1c2bcbce1a61523b3417a7610e72ca2b96c35d9316b0637a6a5a6de

SHA512
1a5b7e4de8a18dadfffceec63d4f290b39b9b24e79c8e07e1fe1852929aa98b663e5084834a3560ccb86319d982db732932cdff7992bf9d88d32d10c525b0d3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
28ffd1e8488f373f87f4427733f65be5

SHA1
2e23afac3f3307a073dc44332f76579cac682c4a

SHA256
178c3cba75f2f2080a946125356ddadba192cb015326c614bb33169e5da81949

SHA512
523344928faee30e39e45aec9254d1677a012d66fc9eb448c7a9ddf29cb4b304ed158b834a77f69ef92c221861f37ac6a62e251d37542fb86ef74bef18ac1343

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
0f71c942e98a2cd232d13d5b0f0b3bf6

SHA1
e4a3d8d9f31f52550e95eaa9b4c10866f9dfe301

SHA256
d1be391b8c848b7eea2da3487994390325604dcaf4b4a2bf1de1316bf42d515f

SHA512
f0514ef4453ac4e9d96e751a634f599dcdab24d332e2af2cbdf02b3acbaa681a0156e3ae912bd44ec09a338fc69e98ecc05a182e97083d24dcd0cd81c831830e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
9920b36072b6951cd9c6c12e8fad153b

SHA1
8bd727fe7f7f0edac9aa05fc9f6592d60a822648

SHA256
f67ce28980d6e4dd9d3158b09e8537937561a4fbbaa8feb0401d45665393d94a

SHA512
0ce430deb2e61c8fd99cd22ac77da7dcff800a4a076e56bc0a289630f7e54340e3086db6a2124c85b163a6065d11263d4a6829d9f1914c08a7f3e888b8776c21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577465.TMP
Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
df3728dfc1acf088a96282e79c7e678e

SHA1
e0ec78efbe983a4f4dbf84d3f92d694cbf0e3c69

SHA256
45860449fce2bf1bb06bad7fe5b659aa8e498314780240028fe5fb62695397ba

SHA512
c0ea8be0bf623f9f7bdd423de76bcd911c927f426a6f12556d63794454614399e2faecd59adb229bdae6d5caa0fb332b1cf313038c57be3814fe02ef1187a30d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
bf29017103c44f69530f5abd854353c8

SHA1
be1a8035dd13befdeed1b162e8fc641a5a465449

SHA256
51e9f009b7bb10486182cba966dc74a378982a48691a4d43bce1f39a275b865d

SHA512
d827b44b36835b37cd9f61fa45d25a597071beb8d44f827423617109e9fec56a7393f2d148c03f14557450e20c9e86576a6e0e170ad66f843f0ebe8b49630194

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
bf2ca6be4d5a3b54d8f95e190799e676

SHA1
ecc327e147c5c4cd4e0abbe82f7504abb5810e52

SHA256
330c94ca5ecde1231c079f64511c3e5713dbd629945493727bd0e781e2f18b4e

SHA512
2ee1c113dd68b28ee88784fda923f348e4b4067c47e65ff26d584a853a9d2627f161ab68f2e7157f829586e792f7a4a33f659953ef616c16a01c29c94fcd18cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
ddcb39b323334c548e4a5ff1da2b180f

SHA1
9113a58f5b2840255235eb2ca0714ad41a3da4a1

SHA256
0fe626fd749bd90f384389808cc829b7ed1d22791ac68bb826922c6503b3ecac

SHA512
3e15560451030ac82206d912a3a9b564d7487513ca651415b3cd15fde8ac6118f93a0ede034a0aa5f69cdc4d2917308646f8399a4fc42811bbd655e8f5ffaec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
661198081ced730eb22867000e6101ad

SHA1
5f36b679f70c2b714b7ddcf9cf5551af357686f7

SHA256
956dfda96a30801ba9675b9661ad114c4888c9d3f3cc69cee301963168215acd

SHA512
c3fea940f1f0fc843252ff4c5fe20b80b24a0b730c5df707b0b7d3763895ce1f2e3d1bca86935c6c4906dd7537e4e4667b9c272288fe280a06c4348f159fd354

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57ea41.TMP
Filesize
88KB

MD5
e7421f2bebf30763c8f8d82070f5b63b

SHA1
e188042291515403949e687c8b829506e887e1c8

SHA256
5052d890e106d21d6e5c09ede57ff293ba3877ed2a2abfa9606e65b79efda7aa

SHA512
6792f2c3c0a4a9acf266181f28f60bd8ed4683d07c298e426bbfa206ccd70fce4230943c1e090d6c9c9ef24d72525b656ac9fd3bad084d39f115293aff82073a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
8db8806e8b8fe24a34d0c113a9a107e4

SHA1
f76cbff572da767744f90d85441fcfa9af8f4ce5

SHA256
e5bb1fdfc821c7006fee6772bd11da8af6f0dd07aca2aa7ffd0c4936c13010ba

SHA512
e9a83fcfaf2810964bc9c216c255e74ae1e26cec33cfc064bb433b66e2e8ad77abff6bc7beb4a9b8a06ba625c952b809048f36a9c608b5b9628eb87c533c0f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
0da34f2dca65c5fe0889509c180ad328

SHA1
8c61e27e36a630100402b61b14c7ce325624cde7

SHA256
71a2c2b2c3ad5ac537b9db9b4c0cc388173e7bf31fb20156f2a2ba72299b784e

SHA512
ab017326a358a4469e4ac2f6c69333cbb817cf0a0e8f2045aa9f7291e1adc1bfc8c298d36084bda7ba1a276d24fc20129c4810f6d83c260a4824d42706e4ffc4

Download Submit
C:\Users\Admin\AppData\Roaming\c547dceec3136770.bin
Filesize
12KB

MD5
a001c9322f5cc8aca9026ea9153b5c86

SHA1
ab69577a21bb82ffb5252d5f0e935275238ba9aa

SHA256
d29a595a350814ee0d9979262da4256ada34c030a084c8780934de8da9ba6d5e

SHA512
c09372fbfc71e32f61eebaa2d1733cf373fbffb1a5bd6d9ab69b40082f4db1bdea029d41b68833f3be7ee7027d4ff389db0e898d25926b42587153eb4b943f69

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
7e2d0f2ca2112792f07164a92e8cc738

SHA1
53b8831849b1bfcd1ecdc3efa812a0047a4e3b3e

SHA256
d2b8a12c4e746b90e4f87972bcf4813479d87d880f04ca4c60f586e2e1f944e2

SHA512
16b8f447bfce7b9597c3f6cdfb426d522e950e7b2528fd333332deb53c096f75582e2c90ba9cdf4cbe3d5369b0b3b63e6c4b73c1499ccfa98874ff93a5fed517

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
e0f44db7a1a30667234a8e1f4393b470

SHA1
e63fb013f4101eed0c703c9251c57b89802084eb

SHA256
b3e64562ddfff005696cc8db607ad336d05293b77c9d8b5ab97ad815488de618

SHA512
da14650ef76eeac9f3f9a5441ea3454a1c91e7ff4a24a4dda96dfa31b7c274f459535056bbb856c38ecc618250c4ccdf70284294e4c040e6e9b848f08a3c141b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
8383ab34a12c965f6eccfbd825e682a8

SHA1
74e1b16087b64b41eafca90a128b74e463eab4b8

SHA256
03a64a114e9fc81bd6eefa40d4ad4d6c0d3b8efdeeedc1e9a4547056b09027bc

SHA512
026b46088fdb319ab653dea599b75f403f1138590b4350bec1c7376a21d6d558dfc1060581a6b1c6d92d7b8d6cc26a1b1d19d8679c22bc6e677915e077395d96

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
e74b9013c5a7955f214b7e83c5ece15c

SHA1
4a023b90e1e2978f32f88ec3b6d58d2c91b35369

SHA256
78a9fdb4e973960ce979f71c99749569eaa82952c060fec3cbb222fad7f2717e

SHA512
d8f0c2002949a830490a5c933c12c2f0f8d72e6c3302b9cf09741e1e18a6ed03f0ed092f9f3303b50636291d1c9cf63eb808a9a8e8454f4afddc8e5eca533861

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
d0efd0223d5ee13dd6b8e5ae2e28f6df

SHA1
29874e49e7f85d96794994481983b2f7f1cd1e88

SHA256
010139d2d230a75ea610761c3e317fdaf321442452698d012b868b06b281ecb6

SHA512
56aeac25319e17111c902fd961a5021f868b1d3bd9f46a91ae4bfa71966be6a33fbd8c320cbdb0d2b2b5c8e794728d3dada636750d5542a0ea4f19c5ec0fbe81

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
297e9f77eebf86dba2e5c3b16d3850c3

SHA1
2164b1c6e7a1fecbe760e41c9baebf6e8b059356

SHA256
6161b62b98805800aef303bf483b8ed64c1e1a5647e6886ff42cbfa87d2e35e7

SHA512
46dc7431c573d09d7e15fd7854bc6f7c2c4e67e2d2f757387e9ca3d39b988101a1bc5cd9b6d4f72f7bc851c886cfd52fa0b7a4b48e06f556ad1a4415c3a9b757

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
d76d76b928945fe45467a0d3f79bf3c4

SHA1
7077a307d96996d41d98696d04e4e26daaf449c4

SHA256
276c61e324c04c652f86d0c15e773c008527aa315e2bd038550a7e33e9416306

SHA512
195d8e703da2ef973750f491d1b17903ef0df5aa7e63e8b6032b77ac53fa8fc030614694a11cb7b8ed9c3582ab32d6038e7d8700cda582e0dc4a7300ba788954

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
d0b891ec0a9d67dcff54d50367911a81

SHA1
f1fa6baaada686383be2ec6208b158a88b2216ed

SHA256
d793d2d20df08611f15f9f38a066fa3370cc3dd08fa9599aeb62debaf2aa518d

SHA512
e3b3fe144b2bf6d3d12fb1289d3af635399409036a3a45f6e08a3ac42ba77127800556fa33a89b442d95f1a44b139e36584b80198282b80cee9d3088d20ab301

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
198bea3683d1fc9040500b2f43c0ead1

SHA1
154628d7445286aeea34d5eda3af973647a1a4b3

SHA256
3bb2145826ac66467308036fc47774e5601e75a31df1d3927e86dfe92d614163

SHA512
a3bc8bb949b9627ecafdb95297d60207ae6f122b71b1add95d781885dab47ceb0c827fc7368f17d6faf0cbc9ad70860e25c7022f2650961ff3690f7d78872b92

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
59af0cf6a2aa452eef92337f67266c9b

SHA1
9f8beca374de8a3d5b18b551ff52dc5cc93cff6e

SHA256
97ac3f92db5b7ca7e6aec3acd68935d12a994be12fefbef001d1fbcd8fd5b7e5

SHA512
d8a367f02afdeccf6e0f1e0d967d3b3769d93ebe999d6152eeeecf7e88553a1c9e98395fcc29c62510e13d8f51041a97c138374f18b67e6dbb59c3c748d2d73d

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
61bb2327f7f6c2d330a18c09339c31e9

SHA1
7c45433828b562f77ebbfdb730a13c95e90827e5

SHA256
3c10e21d543a5e4f83aa196c8be0948dbb263e6c01a505c1db5336920cc8c3e7

SHA512
5e696fc1d29f00bc1e57b2506a8338257ab3a750544fb58353fe55e8b8687dfbfc27b11e9578a0f2b6a06a82245c15ce3dce76c8499080facb513fa56b16a9bb

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
d0b1d05d46e0c6b9ffe4fbadfcf2eb86

SHA1
4efb5290fe7232aa87414348644f61dfecddd61b

SHA256
ff6417dd8c8b1fc71620a1095c5e21888d9fedc22d610a5d3a81b9cffa5c0a4e

SHA512
b06e59d3306b60ca922d2060b612656f92c4b097713f29d7439226010f2073424a4a92930b941f44e349a6efd730592ecd16b57d00e55d7d8a6846d7652d0980

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
222793b7e845640e5e4f510d1bbe79bc

SHA1
5a9faefbe4f752728156ee7b45790b9a2023da57

SHA256
8c2ce8b207629d6483be43f49b518e6766f185c0ba5c23b5c91fa281b655634b

SHA512
a2756e3a04b83605a9b15bec619d24f2849e796f78cfd785bd94565e1175864fdaaaffd0abfa2b3056670e9ac87a5583255e0bc43f729b7ab7c546bfb8cfd100

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
3086b775364f8e56d4dfd897437b5eed

SHA1
87382f4029bfc76cd26d904ac74a6f08cd05f133

SHA256
399caa0a2e097d8f9a4bad5e6e2aa0ed5ff85981aabafa5d5295828f56f137de

SHA512
24f0e6aaa7db5ed4bf6678d0bfb3626dfc9dcaac3b4497f85092f79d02978a55265d3b03a98a7467ca524c6599623b12868cf3364480fbf302551e060b916e09

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
2173a9386ac02f803f9d1e8a6b3d1b6f

SHA1
37743577958321084b780c6e73605ddf963039f2

SHA256
9efdb2a97c96deb36e18b8460546d2e0f98f706ee00dc29601ef46f004952130

SHA512
687e50c126e381a25ff9ec27f2366d1a8698f4b469c06333dddebe5bb237d1a118df194ea1310cffae9538a955490bba8abd2ee8c124b12710d0030ec9e7b024

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
151591d8bef4b1b906b59c693bc2af15

SHA1
b56e3d414f0af6649565bf69da82eb124e9bbe90

SHA256
72609c97d3fc3b5b49848f48bb40cad94b5b441820606d25cfac8c580d62a47b

SHA512
aea317998866b85e0933043d68a9ec445fbc5340bfda7d646fce55773926f64d9b5de09f40138a56acdd4e742444adc27c5df350dde050e2a43e677f8831c2f0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
8291449fa45a771e651f7ac5d7065be8

SHA1
a906496f21f55ad068d0b984085ee90c5d13b861

SHA256
17e24d1afaa8aec83f83154ad1c7b47dcf239f0d4611dfa801b67f267a9e7048

SHA512
84fecf125fa46db99db0d9a715cfef75b68af5e294bd2e436f042da3a160dc1331a2262333c67cdedcf2d8c9f4c3f5da1775165a3537ea4b845f26d5c7945089

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
26d79e854b4ec90108d3dc16fae11299

SHA1
8fc5bcf49b55e604c54c49b13ba21bbb68119c64

SHA256
39becf9e2c50ad170c2e3f8eabec0984e0bc532f32232fb92a373c6e55661c7a

SHA512
7b7be8afbec6ec0f57010e4d73550994b59d57fa762fbe78331426cbd75a913764eb183d86f3a5954c15f6de1e0c829b9aca317c6513110b601026d22fcac5bf

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
94dd9804970c512fe7d82bd23afb7630

SHA1
2c2e7d1baac0dabc47c815fea49be2681c9bbddc

SHA256
684c89fb5dff23eff5993eb80499613aeb2e3f1a209c1a0e929c50492380938b

SHA512
157dcce89ff5283152c6c8948d53aa5f65b1dbbdf0b7e8156afb75f2cc6cb042720eb99669679fc0c7346c06fc266be416d4775f1baa9e86120feeb739433249

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
2558cba242714f712e08d547beb6cc22

SHA1
1294135c33167732045341575a15caa11f542ce7

SHA256
595b19b9afcb3f8aebfb4b478a1bd5c77c3070a78813e403d69571b227117608

SHA512
9643b86e1d28ebc22a08f6ac1fdbf318ccadc08fde997da7ef32837560d9808501aee9352476b7f6f6dbd05f597a6267bb1e59206ea1b1497bc6f5150216ca4b

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
b6810ab570b0ccfc450398ba3605d6df

SHA1
3e3a5870a30c7b26c48c046897b84c723f970a06

SHA256
5f18d124e86b8b1937a7bbc59076ff2002e8d3781552f7a37bb6b158f00ca923

SHA512
c3ffa1a6cb095e8eda47090551ea4af340848227708c0a9ac5a97e7b5b4b1ad270460e7b45e8393791309196cf97c0deae7d9fef15f06d91f57a804021647f80

Download Submit
\??\pipe\crashpad_5100_SUZWKCEASMLUVKUU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1000-233-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1104-224-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1228-223-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1228-320-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1228-67-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1228-73-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1244-78-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1244-63-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1244-76-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1244-57-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1320-645-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1320-284-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1348-631-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1348-282-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1564-234-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1860-637-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1860-283-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1964-235-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2052-528-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2052-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2052-20-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2052-11-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2148-238-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2252-237-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2252-593-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2396-651-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2396-307-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2464-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2976-236-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3040-86-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3040-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3040-630-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3040-221-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3088-242-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3340-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3340-90-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3456-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3456-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3456-6-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3456-22-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3456-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3468-296-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3468-648-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4080-240-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4444-35-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4444-548-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4444-26-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4444-34-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4592-54-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4592-43-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4592-53-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4944-239-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5320-545-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5320-609-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5420-652-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5420-558-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5688-723-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5688-581-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5780-580-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5780-598-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download