8d01d6b481481d3b85d3f0926aadf696304825e93c5f0ba03298b8b64a579adc

Analysis

max time kernel
139s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
Size

5.5MB
MD5

3ad93b70da80f157df5421cfc900f3d0
SHA1

1bd6fde894dcb3bcef951b3d98eb73a1e115822d
SHA256

8d01d6b481481d3b85d3f0926aadf696304825e93c5f0ba03298b8b64a579adc
SHA512

260b1aa8cb55ba4835931046ce19501d3e252508167a07eb3f27336b3e6d6900f9ca81c8e00649d2e3cc95db07ae7f084ae98ffef80f922c54ce5a629809ded3
SSDEEP

49152:yEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfC:YAI5pAdVJn9tbnR1VgBVm0J3rL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
3156	alg.exe
1360	DiagnosticsHub.StandardCollector.Service.exe
4428	fxssvc.exe
4340	elevation_service.exe
4360	elevation_service.exe
1524	maintenanceservice.exe
4200	msdtc.exe
3692	OSE.EXE
2008	PerceptionSimulationService.exe
1528	perfhost.exe
3544	locator.exe
5052	SensorDataService.exe
4704	snmptrap.exe
180	spectrum.exe
4252	ssh-agent.exe
2420	TieringEngineService.exe
1088	AgentService.exe
4892	vds.exe
2700	vssvc.exe
3232	wbengine.exe
2456	WmiApSrv.exe
4560	SearchIndexer.exe
5568	chrmstp.exe
5856	chrmstp.exe
6020	chrmstp.exe
5872	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 32 IoCs

Processes:

2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exealg.exe2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4e7ef90292be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cbd1c5b71caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037355ab71caeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f531bb81caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc46abb71caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1d076b71caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ccf95b71caeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044949ab71caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610577306586717"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exechrome.exe

pid	process
4544	chrome.exe
4544	chrome.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
2972	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
6948	chrome.exe
6948	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4544 chrome.exe
4544 chrome.exe
4544 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exechrome.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1208	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
Token: SeAuditPrivilege	4428	fxssvc.exe
Token: SeRestorePrivilege	2420	TieringEngineService.exe
Token: SeManageVolumePrivilege	2420	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1088	AgentService.exe
Token: SeBackupPrivilege	2700	vssvc.exe
Token: SeRestorePrivilege	2700	vssvc.exe
Token: SeAuditPrivilege	2700	vssvc.exe
Token: SeBackupPrivilege	3232	wbengine.exe
Token: SeRestorePrivilege	3232	wbengine.exe
Token: SeSecurityPrivilege	3232	wbengine.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: 33	4560	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4544 chrome.exe
4544 chrome.exe
4544 chrome.exe
6020 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exechrome.exe

description	pid	process	target process
PID 1208 wrote to memory of 2972	1208	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
PID 1208 wrote to memory of 2972	1208	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
PID 1208 wrote to memory of 4544	1208	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe	chrome.exe
PID 1208 wrote to memory of 4544	1208	2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe	chrome.exe
PID 4544 wrote to memory of 4184	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4184	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 4740	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 2968	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 2968	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe
PID 4544 wrote to memory of 1088	4544	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_3ad93b70da80f157df5421cfc900f3d0_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec2baab58,0x7ffec2baab68,0x7ffec2baab78
3⤵
PID:4184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1912,i,4619561775816549716,11335788043969174324,131072 /prefetch:2
3⤵
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1912,i,4619561775816549716,11335788043969174324,131072 /prefetch:8
3⤵
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1912,i,4619561775816549716,11335788043969174324,131072 /prefetch:8
3⤵
PID:1088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1912,i,4619561775816549716,11335788043969174324,131072 /prefetch:1
3⤵
PID:4736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1912,i,4619561775816549716,11335788043969174324,131072 /prefetch:1
3⤵
PID:3796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4376 --field-trial-handle=1912,i,4619561775816549716,11335788043969174324,131072 /prefetch:1
3⤵
PID:5744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4248 --field-trial-handle=1912,i,4619561775816549716,11335788043969174324,131072 /prefetch:8
3⤵
PID:5884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4336 --field-trial-handle=1912,i,4619561775816549716,11335788043969174324,131072 /prefetch:8
3⤵
PID:5920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1912,i,4619561775816549716,11335788043969174324,131072 /prefetch:8
3⤵
PID:2352

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5568

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5856

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6020

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4992 --field-trial-handle=1912,i,4619561775816549716,11335788043969174324,131072 /prefetch:8
3⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1912,i,4619561775816549716,11335788043969174324,131072 /prefetch:8
3⤵
PID:5908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1900 --field-trial-handle=1912,i,4619561775816549716,11335788043969174324,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6948

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3156

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1480

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4360

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4200

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3692

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2008

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3544

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5052

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4704

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:180

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4280

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3232

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5240

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5164

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5884

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
7bb4d14b9d0bf9350f7ae7b900fa6fe8

SHA1
043892fbd8c4a0639464c52f1c9d97069653b170

SHA256
e452431a54cf734dcbd1e428bc103f9be55ffc5116a8a3d02c3ccf3eea40ff8c

SHA512
cb9ebe83435539d5eb4fdce863d34e75d62a5e60b641233cebb1f29ec019a5ee762f1d2f6a25ba44bcd096c349ac97d7f0273bb3619f92d386185e8ebc4841a1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
84149caf0edc286b4f6fa75f47a1b5a6

SHA1
0a802438792b1e1888a486f08fccd96fad31787d

SHA256
dd16cd52b095e6c218015fd9af73ba32da578bfae2296544171d61a2c720223d

SHA512
a1fa70f969126f283b8b2bcb84038c0c7e4d9b391a787c218ff9c3b236a44f0a819cdd7f6663eb5bd6f8b0af3d067dbf17164b48494ca203fe4a9eb49885443a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
9b78f42a6e241cb334cfcffaed10e545

SHA1
d9c474c7cde057fe91329c85d5ca3753d49ae795

SHA256
1aa323dcea8b1b681f225882f76388fd8a5af091ccb27ea8d34f429df1e50422

SHA512
02246b142e98cc9cfd79669ff01d2357a936c13e7357a45c92d637a561ae577bd5ef59df02f034052edb313d4b14a7346bce50e7509f792af87217b5989b2e85

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
e13460ca7722fb8003cc2e445e869a2e

SHA1
c59f845bccbff43219e2c634d782d90eff94ecfe

SHA256
1e4fa34cfeaedeceec3b446fdbd7ee82a19f86481c966f8cbac1a96032627aca

SHA512
0ee9bb95ef2010a7dd6d7803654774e2e75fc4c7f5220cc686d0a7c4918bef2f9f766fc73c755740c3cf10cedb79e99c943743ab6853d54f5810d5720ebe4c18

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
435e4c1a5c6ead77680f6814122e603b

SHA1
f51b636c36ce0a325fca5e4a602284713d069e37

SHA256
e394c78701b8fe9967a5bee3ae2f429a729abd07a9db32ef6ee1186e266b84bc

SHA512
8385f0e7837c0f26fd8620cf8c6e76db7e5a471f2d806a3eb070232157858e7ac545ca699e8bc50319c6836c17aa5646206950f02b86a1d4902f7a2c3d64e45d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\dc8ef903-fa48-4361-ae2e-5434f0fdc0f5.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
722d6a402cf3e52f51fa576ad1066161

SHA1
a26297092ba2432509ac41ea6c14ab63af89002d

SHA256
70186d85fa13af6f60d9251bc55e2d59ffa319e8e5355d1a6f9b37890a1ab655

SHA512
fdb607fb967780a8be47bed8a37175d393ebb2da3ac40e38b2ea7e99d4ae507ac2a33b365656b47bfc15846f4f280392146656ee4ae36c94c6cb5f6c13ddb1ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
02a23467187f5c35a2f8791ff3f1c2d0

SHA1
9f1284c97e5724b0bfc2a525cc238ea2d9cc9a6c

SHA256
671bd1c7450070312bfbeaf51ff5036614912271cde5514c51ca2b12b5d4149d

SHA512
870c0db6623448a829466de9b8aaa7cd492d56aa0c6f12e73733ec4bd6f3a948b9e24a2a77a6c16196ac0bf5a1de5dfb5d3ce0c478a84940aae5076eff90cd7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
fbf36a8cb3ab0aa8e02d12343053f4a3

SHA1
7d86d18b9be8180f7a0461cb1e0396b0b2f21ca3

SHA256
226cdc96fdeb0919347636d01cc7b9319ee535f0bd08f764f1a9af0f5396e0fa

SHA512
67f54aaec268b45759344405d369acf81193c902054ecfb8c864fa4e9e18a950523f815f8cca6b536558239a80aeb394dd68ec9ae011a1413839172a4e8c1dd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
18786d35c1682dfe409bd6c27cecc0ba

SHA1
40c96cfa9968387ac1f4146f31329f614025bd72

SHA256
2bfce887328483cbfdb112a4b42e628c545d6511f573df76873246708b3e81ac

SHA512
529fad53833031fb9a2b776ea69c30a321f267fa2bbad2b7d00688566647430533a6a2320764a7e7651ee071bd776f118db5f64b197bd30a9b49265f5615b91f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
7429128974907f3639431f4adf6bf2d3

SHA1
5a4fadc88dfb58f27ede117dee95803c9585c91d

SHA256
46de2b6e18e4a11f01243c8559fdca71096f9d7be84711dcff6a1221d1070a2f

SHA512
e74f1aa135331d33d309d65bf705256f21d27c4698d2e138fde1d0fbd1825966c15008407406639969bbb4c2ffad86380bd6470d9d780e13657725576fde2f42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
07d2c6f5322873957b8e502e667ee63b

SHA1
878b1211e8ca4c41a45fa078832e4d9f99a063fa

SHA256
dabe2df666db8a2840a577532a8c6f84412aeead5430407ac693ba137c336cc7

SHA512
72531f859c00e03b109eacaf2a5b8cf36dfcff9dc5bd9cb458bf458d237fa8fc1652b77d18e1463ead0910c6fd63bf0faf4aa9f74ac93db711895d6748232d0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
7f18afbd4090d5a9c2c932a237823491

SHA1
9b9fe9ac245eb9bdcd92c537a98bd52c4ba14158

SHA256
097a7d7fccb06c37687cf9f92ee86f196c6ee0cc7e52508f51833287f11f595d

SHA512
ef0e9993548283cfb3ce74fe1a360b1f3f97189e4a1a236ea72a92e01114f5bc3d0111109219330e2c12e9e224259e3d9a68aaa67ad97d506f849a090e042082

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.2MB

MD5
358acbddebec51a2e16b67f0fabc2e04

SHA1
4a9510665cb44a09aaa7047d1aaed7b408dab7e1

SHA256
f9fac58fa13aaacb9ef8c9b7a579397583d49c57610abffcc41d1f8760503f71

SHA512
d5987d941da062016a99d442c040aae050376f476904a9a533fa28d85b983ba77582853fc69bef28700c327a502f9ed416f9122b5b0ac5d4b8cf46401c051404

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.2MB

MD5
beb24a77f8e25cd659a36d877bbda0e4

SHA1
965397ea5931ea6cd955db3683e260d075ec4058

SHA256
b2cea31b040d8a477fde1c83af206e8ad33814bb03b79dede69d13a0d747037e

SHA512
6acf255a94bca9f9d1bdc158c4728dabd5e95de4ea8284aa8cd4a2c07e98e3ada3a4a94a415cdf29f83c6e4759ab6b1099a033b42b23f1e46f42b4c9a9703f93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jmap.exe
Filesize
1.2MB

MD5
8df372fbf0dba93bb6b4a6ff8e1610aa

SHA1
2a6c7b60e58fefc941f8f2aa330f33573e65a713

SHA256
784f1e25660f06837528295e4b2e14c526c9a30b22052f698d2c78b8535785a9

SHA512
688ffeaf493ab2a35d4573ff1f6a4799fae8e2f7203024fb9747c96f6bc33289ec08c1d57316909f809884f1d4dbefbc93fb1950db6d126655af3ae1174c912a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe
Filesize
1.2MB

MD5
a07dc6a800c9ca8615d923f34923e1e5

SHA1
c6b73eb3a4700ec3815b608245687baa83b6b7b4

SHA256
63e030c97899d2ebd84a22a2cf704f2fe585f7feabf94115ecb391a6d7f9145e

SHA512
6e4d8256f9f2da96a966c3784b0739df49ae7b1c96faac254c1a66f43243d8ccf519b9a41bae11fb425c8e498bc8706b55c9df6d9f3df2661a78cb11e60e0761

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstat.exe
Filesize
1.2MB

MD5
a6343403938e30eeb2e26e9aff77c02f

SHA1
abc05582e62f7ff1ab71791ae6b82eea54349403

SHA256
fca05c742b30ebbf99aa2605b643e67c7012347ef522c87ac2dfff9fc27c6f22

SHA512
4ab17c675d49d64626b02fa71e63c39a0c5c690a5af9e380e5fca9f251536455aa9c7d2efd22015e06b47eb447c708f7906120772eed5cb76d2b14292390e146

Download Submit
C:\Program Files\Java\jdk-1.8\bin\keytool.exe
Filesize
1.2MB

MD5
f278edb15c2917d39292ca37dc188b3c

SHA1
1697605734b5ad800e01f89b49576948f8a33d72

SHA256
320afa6488fdddb158af8966e3a66c0123b6d35ab7c03578ed6c3b75a4e29c64

SHA512
2c84e3fc9285123c68c092665cd0be6d1651a91872551a7458e67106616c0391bb6b191e9283992e0562dbb6e25f874e0909b1eec568893c5ebe3164965615e1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
2446de684cd9091239ad95cd565f7012

SHA1
8aca09f408b0df66882f5babce144e120bd1d2b4

SHA256
d6b835adcac4463151ab800ff754baf856f8b3ecb07f7fe00fe11b2dc4326bf2

SHA512
c14d61c7c067e3eaf7a4f598f544e7c0e56681ad3c1dc573cf682a0dbbf13b89ad360106f860966a8dc198daf3cf20abf720ac21fe751b35ab07b0fdd55e2acf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
6123155f7b8a202460ac1407e231fbf4

SHA1
13121f6000a380f6621bcb8dc7c83f9cd10ab626

SHA256
dc3766fd1d9f14e305d5483a9e886548c3ff3ad2d8497e26a04c6d8c31e7be6c

SHA512
ef2e48a3517f58cf068d2ed9e202ba4d2a54afdccd4937c74b5c84d5c4fd47d9b92ddcf3b842a102b426dccae53ab3bc9e571a5cf27cb315be4dc58bdaad34cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
29d76544e5105a06d8124107e2ddb748

SHA1
a7c560a7f9428385d5c5783410eda40525e0f4e9

SHA256
508d1c249e996fdce865fbfd62b8fac7ce6f814ef2b47b0e2ae1a178b625a520

SHA512
853691aacddb7dcfa5c88b6c9e4c2396300f744d4962d7b6d581c9e04ada6ee7b9db49ff70d1e9bf038b2a643a37de2f4f89666492b44292efa85e7d27b43a88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
6f05b7cfb829b5211b3f53032703a0b8

SHA1
4972922f791d3c279216006e4a7269c3847d0dcb

SHA256
e96e587595d6021411b6388272b1fa9c3e20c9479aaa880b968bb6a95e797533

SHA512
9dcb788744112b414addeeebcaf8535e5e5e8f3824f0b9629ead6afe22b2c749ae688d5854b67a14f0e77bb0b19a26e0dc5a58c8755a0f4fc871bfa3f0a464ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
03ee52bf1b809bfeb2c022ad65ba2cb1

SHA1
4fb5eb46f5a058ccfd4a6b61a4c193fddce3f2d6

SHA256
d362719d15e4c5116b13d33fdcd2653971f83f4ff59a6df063a5a820321c0b9e

SHA512
b21a41ccb508e9f2fec32f704c50589efeba7164cc7bcc5226952c88017df1e5f13c4489f5d0c0a6fadae7fb0a1848d51c8cd86369f4ec67aa1124284718a915

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57738a.TMP
Filesize
2KB

MD5
80c9ece824708be3255fd46fed4fa84b

SHA1
6ab10396c88f4760224c2820d198207c54f01266

SHA256
1f8af8464e8755fd26db7cc2bf44b59934126100a43b00a66da96ef4bac4e336

SHA512
c8e8c5ce9c0607264264ceb4ccddc869543fc5b9d3929ad42904cefd147938d6523ee61e5ed2f6f46fba1e6c92f8b6dc14300f4c6c7cfb295fe3274677d9ae2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
8cb091e62c7e17c05ec680c21f175935

SHA1
e5750b54f6dc0414384d79c32119da1318bd7f5d

SHA256
700d4b6b36615341505e9aa3934f1a28a568ce7f9b21fe15bb47822a7a8954d9

SHA512
bc46fea7bfd5d1b68132383aa6ba44ab6724f427e206410af217fe2e3fdb6e40259e2aadfbc4a9f9d0cb8ff3a06dfcb1a08ff2155b925e603fd32321595215c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
c0d35a94a99290ad3d4871e4538b6c54

SHA1
5bb33d72c9f667662a143226db38dd0955651a69

SHA256
d62ad2ea3f1c45d8286f9a31a900edbde961a7b8aa37b12163c50d9e96ee971b

SHA512
1d0b9d5ceff4307384eaf1a498ace1eabd1bd8148baed9a59b1af17f2f241f491dc1372323493db1bf986e5b69ba27d8fdd979f4030913a6bcbd36e7aaf90b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
8a2afd11dbf74144f92624484e3396d0

SHA1
4d16e19bf93e765bcdeaae9eead3e79d941ac79e

SHA256
c0ec467990f2cc543f56851aacb9be50429488fe42c97569e22ae758cd31b0fc

SHA512
5fed25475f5c9a1c7bff65581320d94f0a9b1d9e5f2ffc8415cc21d0bb8a12830ec9f0f9702bc062fbfa47811184e03a05072c67d714107612607e50ffbc1671

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
4287f0bbe2f40b4d639c9e6510bcf154

SHA1
de124200d8e9ead5df0892c10c3513c51da776db

SHA256
00907b0f6325cb4962d44974cea6804582613862593f6902201f0f42dc197e51

SHA512
676238012ace392d68c8e24c96b1b9b4c95f74b8c5d92bada1c50488d2000b7bc847623d9bc76e7a2a9ed0b3b9a5c1d3b9422852975a77d939f0825308bcaa99

Download Submit
C:\Users\Admin\AppData\Roaming\4e7ef90292be0f3e.bin
Filesize
12KB

MD5
aebfb03efab5f8831611862c87b870f8

SHA1
c12692009f3accb0665f960ae73be8ca1b627262

SHA256
e52d8a6b8d1542217ac22397bd62126021a48977bcc99c8463f863ed6dbf4427

SHA512
9c66eefdf49082fccc8dbc7c2ba1f7b2451f70b04b5dc4016a65811f05464116b8c7ac43f1f376f0de0cc1dff29877f68254b79de381ec7e689ef06fc8f09b04

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
a8c44198046c8ce75afb1e4f26985d0e

SHA1
937780e28fa7d0f975a9d4faa4faca455d523b42

SHA256
7fc5249edc3fb330fe7af82f012d0f8e790dcffe6c13cd8065c524c89fec607c

SHA512
684260c4a34efc046c3413e019cd66ae1159bf8094acc3bb5dd3b6c16cac4772cc689c57dd53420438ca02d25356c0dcc4b0805e24101e9b6970252cafa3cf87

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
2cffe3c27e1740aa21e1042149a3d56d

SHA1
7ae758790cef05c3585afa8ae5099b5bfb83077d

SHA256
6301b3593e213faa15e4c5c723794658188b0be79e24f5bf5fb78b3216c55489

SHA512
53dbaa85a9eb7bdceeff5ac89448433bdbacd9ee645b7c102f2c7104a7443b38ff5170a32d70f9fb6f5fa12dd7c90d7c60d430583dc87ec3214bd5a92fb1f25d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
d17891919a1f032ec8f7437d7855f544

SHA1
d71ca30b20741511211834049bb5f630249462dd

SHA256
057018388287bf03234f8d70227bf5bf0aea5ecc158f1c5b5e9d8871fbd8f62d

SHA512
befe1e04a2534b5170e724e1137a904666f9c5a395a5dd725dda7a75ebeae025b34b983a8c19c5a3536dbe4173d340ae87a090a22eba56d73eb7b2912e8e9b9c

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
1a908a3faa4ba204f085f1c42678914e

SHA1
5eda67559a6c758ae7bd9572ebec7b1a5de879e4

SHA256
54d5443329b6a8009cf23162d814ec078d908cab0975a72c100948cfafcdd4b8

SHA512
319848d963bb6597169efc6b2ef077eef9a4b79ab88d9ff1be7e053b277b98644e381e9988df86966eaf47f76ddf37f7f38aedb618c439eb0b0a10623c22e4da

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
917a9b97852281e3deefb8fc579ca97a

SHA1
77aded35e72e050fda2bf8ae346f7ec155a73467

SHA256
64aaf04b8008d471aa168b0433acdf68a9c257c2a9ad035a41a7fcfd79697c45

SHA512
177fc23165ea67b6f0302f157b1cf2c66d080568708807c59ebd2ce29d737030a1d8357282674e643a677f7a120593160eb91fe1e9e2445ba151dab26f23b755

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
d33ad3cc695dbba5a3d147b3dea986b2

SHA1
09367d75ae04fda168402b85aeec790a2b3206a9

SHA256
13e47189254d02cf4f5ed2d1a1d80126bc0dcce2dc82e21deecd9b7f29f96e6c

SHA512
1f28cb14fa787f13faacabd9b0aec8ff661f59317a6c00ca2f8bb0d4c6206d67e18d0278c1fc25cdf1c3a22e940768328ed82d33308b0138caaecf6f7adbe758

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
ca296b8fc958fdd9581fd318d9a54d52

SHA1
452f3ac5cd968c245a982ab25d23f1e0841d60c2

SHA256
95b68c46d3230f4a6d1e6c291c56ac688d10b9804c5e9ca5daaf2627b7a6611d

SHA512
bc2f8a3a37ed58bcf24eaa326088ead2a1e08beb052417373b69acab20acbfafe457e1e463ec936c3c0e61fb976a5093f4674aa169144ac759e5fb4226b4bdcb

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
d2e9b8bba22b5f8fd6b4f348e2fb0d07

SHA1
a26ca4f18e4a72b9c69ede07fbf01790d07b5e8d

SHA256
dd6e93d02add498af44aac88f6df1d06cb4cd4997221b0e8ea2f544bb72e64b2

SHA512
d7d86a6cea46588ce0f8486637e30a0e249437a877c6e3b575d8c12668a5695bd3b065bafa1bdf72a1636da894bd390208f5748a12c351fd7c2333eaa1959947

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
ac0be44e01e45d34f9bcc3146fce3520

SHA1
7f1f514ec9ddcb93a58a6d05f87d2f3a92c2a1a5

SHA256
7a1e12a41672c29c4e93e28cd8cb398e2bc20c1cbb33db6a11eeb162d2648b94

SHA512
6d4ece98ae89bd68c837c8e57c9f2f394dc85b04ae7ad1230c45eff5e130640f30c250fd91103bf0c32e9f4ffe512c4eac67865d1d7e9fdeaa627d96b9b7ad75

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
caf90a1702ff38979e1a9db3b309959c

SHA1
714cfb66243f65e897db547cf7da2c0c0b9f1449

SHA256
b9161476083b029054e75fef05228240ddf01ae877cc761111e396c22e5f44df

SHA512
660e3ee1070d621298c2e9282a5ab0ef1379a4ca5a333e68a188b54c54eb8a37e13ac57d4f758314496a613b8c65a3ff5bddaeec781e766ac5bfc47063b91bf6

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
450f4c53c03207714600da1b6951eeb7

SHA1
f2c9f50cd890a265e5e2ae08c678be95e6c85b17

SHA256
d58c451a312ffb7bc7d785a1f0b442c0f4de889de3d34725f7da6f64f81009ba

SHA512
0b695685261c05f680d233f3d680d7d9fc6149e338840e9a754ee3fcb20df74fce1af1bc86fd682208c0b04e5ace1a851d2fa1932f13b559af505718288e9ff8

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
2e1bb5ae2eeb3d65603ee3e8f79ab389

SHA1
62bc525928eb4b1ba40c179ff20020006c1a53a5

SHA256
672959916d99f1b461e79026c732a24cac8e88d4e00dd5b00e4748458d1a826c

SHA512
7ccb06536f117cbb644c87a41b3bc4f9f49c0ad4483094e0ca280cb6d51c1fafbd51b26311a4b4651a36e16478b83f72dfab4934e43c7ed52a50d066585f33d1

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
b422c72b96541e75e9f188755a6f2d66

SHA1
3fe156f6381730403bf6097b08b5aaa18449bbe6

SHA256
a5bc37d564c0d28cabcf326cf32ee237010415c8e9e5161a15aafb0ffa059244

SHA512
e82b6757638aad27d1a6d310a9c313ed1913a25fade6bf4a22ff519974dd187713b398dabbaf1231a6efd1825c78a49d349f90c5156f38e88ba3fce1098dce6e

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
639e2fef44518ec0509a9b13509513ff

SHA1
a9f7b67be676c4dcabab591d1f02b7f8fcba9676

SHA256
6bc54d3b42a1544af556956d50340ee010015a3ecc7813b4788ae3d09bdb90e0

SHA512
9c09f23dedc06e1f58311515c330caaa63789443956863df2dbb7c97f43f9cb6701a464f2227117cbf2a2dac9f5e9f99024898459ca81b15afff89cc6d72ea5c

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
582da18221add379f98e8a49b122643a

SHA1
b28fb647d4a5bb569542d28fa0ae8e0f0e3d6276

SHA256
812037361e33b56cd45cc872e6f1e848df0abad24dd4db3db52f598348d8832e

SHA512
956455a931e372c34188a3be133a48024d2a3db59ae33d94b75f35b0cf8b08fff9ae3439902b512b1d287d179b08951193657e4642d3b7e5bca986086075ee30

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
d8cbe2b801e44429d07de586cacad55f

SHA1
1f998461736b700e2eedc31e3f6350e959750286

SHA256
d6335a3cdbb93e13ef08a8e2fcb470d5b9fe31b6b9964de0fc236861ee8f9095

SHA512
ad073474107c8a6dfb6f928947170bfb26eb41ec6bcb5cca7d4703eaa188f80fd542c9a66c6343cefdb6147179b149944ea962d433bc3caf05b4db7eda6565ac

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
5cd8e2658dfef5192cfdfac6a4655ba1

SHA1
369371ac0e0c35a45e2e781a33336804de5342b5

SHA256
498fc90f8c5ace604c27f27123b15468a7632034eb5025647ab9b22576d535ef

SHA512
fa7956ea53d627f09c8a77b41122f4f728e4f460046e4a8b0127bed99c6428ed3199e6cbd648cf6af6d66eb171d1d5b377888c817a6c5c5866e3bb081f561b51

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
91dfa20f1d59ea7506335ce7d4533e73

SHA1
8d5dfb1a6be8dea8b0831d484e93843e1b1093f3

SHA256
999b85b66dbe48914791dd167154fdf2a977e4f92fffb6b3fcb436e041e281f9

SHA512
996249b8ae4579422d521afa9cd894862b5d255bbb3567cebaa33919e771f18c9943e1c0c355af0d1b5daff750d0f6833822bc469f73fe591e0afee9f0e6acff

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
f8da1e3912337378c0f722f616cf6aaf

SHA1
22482c3e69a3b76d24d4e88d30e345654afd0338

SHA256
342768ee193e599905624366abf160660028ba384d57ae4da8734bc9473b010b

SHA512
b72adac4dc3ef8cd0c1275eaf376da652f8aa271a162aac1a54571f6f93c0e5fe9fec69a9cf380f84fa3ce438f06e3c9c2493a1d422f5d1bf4c46d6962ca9f47

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
7a0c476593604ac05b0c66ae1f573d9f

SHA1
4056af437507e5a4392b403b461b063b33e4d000

SHA256
d379f682d5c68cd82f7e88526e38daedfb0c878d25e0350c9e5001e5e5030f62

SHA512
f78a5c0172560a4c124cb1ff2e0aac3adee94de8b24d780d62ec3c48349197c636045fd4351d288fcc64ba85ca85e60bdfcf56487c022d19956056e74f07ac81

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
00497e8f990433383e240bbe4a858bc9

SHA1
5be35ad97a304335e0fb9db96711dae93b691515

SHA256
fd92c98fa54faf38e335d47c4d881bc8e439736e58b69185eba49663705a5c5b

SHA512
254deeea603849f1af838e5d7857d3da65d0b2f94b2c98efc424402e8b56aa03032fefddd77156362d0fd3a5ddd6993176eefe5e00ceb74198fa77f7c5dea089

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
4a9e03a47a3b685502bdd6ff5d660624

SHA1
ac68471a82ecf631f08df2ee0b8afa170cd3435c

SHA256
028178e7db1ea2b9c256b1c50439700fbdd4400a42e0820b7a4434f2b30ad8f9

SHA512
048897c7a91fc5bc32d33b332bc5eea3b6823caba284916ebb2d5f0e400d9b30204615e98a16dfb14d473d67dcbdac04e4b4054f79736250a9a5dde1ed11dbfd

Download Submit
\??\pipe\crashpad_4544_ZKUOWPAIFUTNOJFU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/180-530-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/180-210-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1088-225-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1088-228-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1208-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1208-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1208-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1208-34-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1208-41-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1360-53-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1360-54-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1360-45-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1524-105-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1524-93-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/1528-206-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2008-205-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2420-212-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/2420-531-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/2456-562-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2456-272-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2700-260-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2700-551-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2972-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2972-18-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/2972-12-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/2972-284-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3156-436-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3156-21-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3156-31-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3156-32-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3232-552-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3232-261-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3544-207-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3692-204-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4200-203-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4252-211-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4340-366-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4340-67-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4340-76-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4340-73-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4360-91-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4360-472-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4360-88-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4360-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4428-75-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4428-57-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4428-78-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4428-63-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4428-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4560-285-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4560-565-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4704-209-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4892-259-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5052-208-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5052-529-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5568-448-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5568-504-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5856-450-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5856-600-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5872-603-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5872-484-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6020-471-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6020-493-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download