7af443a8d8976520e3ed9768e85650e7f947859cc053d369c217949cdc80eb88

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
Size

5.5MB
MD5

c0f0446f256d5c5a6c5fab0cd9533ac8
SHA1

28d0045e04e9638b04b8df3d7590022afff3abd6
SHA256

7af443a8d8976520e3ed9768e85650e7f947859cc053d369c217949cdc80eb88
SHA512

b591200066b661cccf411bfcb81a364a6e0fa727aea8fd5c594c3f45df301b45de5afa4f832d5f5df84b3fb331604140f39eeb1c3be449dc5b4e1e96bbd97f08
SSDEEP

49152:UEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfw:SAI5pAdVJn9tbnR1VgBVmWrd9eQH2U

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
1764	alg.exe
4008	DiagnosticsHub.StandardCollector.Service.exe
900	fxssvc.exe
3696	elevation_service.exe
2804	elevation_service.exe
540	maintenanceservice.exe
1780	msdtc.exe
1180	OSE.EXE
2948	PerceptionSimulationService.exe
3608	perfhost.exe
1608	locator.exe
4836	SensorDataService.exe
432	snmptrap.exe
3696	spectrum.exe
3252	ssh-agent.exe
4572	TieringEngineService.exe
2800	AgentService.exe
5200	vds.exe
5292	vssvc.exe
5396	wbengine.exe
5520	WmiApSrv.exe
5648	SearchIndexer.exe
6044	chrmstp.exe
5484	chrmstp.exe
2800	chrmstp.exe
5332	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exealg.exe2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7b88ffa44a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exechrome.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610583131879994"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae7be1141eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4a007151eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063f75b141eaeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000040a6f141eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab650c151eaeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f425f1b1eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eba3c9141eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exechrome.exe

pid	process
5020	chrome.exe
5020	chrome.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
3556	chrome.exe
3556	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

5020 chrome.exe
5020 chrome.exe
5020 chrome.exe

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	368	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
Token: SeTakeOwnershipPrivilege	1640	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
Token: SeAuditPrivilege	900	fxssvc.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeRestorePrivilege	4572	TieringEngineService.exe
Token: SeManageVolumePrivilege	4572	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2800	AgentService.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeBackupPrivilege	5292	vssvc.exe
Token: SeRestorePrivilege	5292	vssvc.exe
Token: SeAuditPrivilege	5292	vssvc.exe
Token: SeBackupPrivilege	5396	wbengine.exe
Token: SeRestorePrivilege	5396	wbengine.exe
Token: SeSecurityPrivilege	5396	wbengine.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: 33	5648	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5648	SearchIndexer.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

5020 chrome.exe
5020 chrome.exe
5020 chrome.exe
2800 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exechrome.exe

description	pid	process	target process
PID 368 wrote to memory of 1640	368	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
PID 368 wrote to memory of 1640	368	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
PID 368 wrote to memory of 5020	368	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe	chrome.exe
PID 368 wrote to memory of 5020	368	2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe	chrome.exe
PID 5020 wrote to memory of 1516	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 1516	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 4016	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 2272	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 2272	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe
PID 5020 wrote to memory of 3432	5020	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_c0f0446f256d5c5a6c5fab0cd9533ac8_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x29c,0x2cc,0x2d0,0x2a0,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5a3dab58,0x7ffe5a3dab68,0x7ffe5a3dab78
3⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1880,i,18124512065382500782,10518897371820600180,131072 /prefetch:2
3⤵
PID:4016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1880,i,18124512065382500782,10518897371820600180,131072 /prefetch:8
3⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1880,i,18124512065382500782,10518897371820600180,131072 /prefetch:8
3⤵
PID:3432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1880,i,18124512065382500782,10518897371820600180,131072 /prefetch:1
3⤵
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1880,i,18124512065382500782,10518897371820600180,131072 /prefetch:1
3⤵
PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3596 --field-trial-handle=1880,i,18124512065382500782,10518897371820600180,131072 /prefetch:1
3⤵
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1880,i,18124512065382500782,10518897371820600180,131072 /prefetch:8
3⤵
PID:1476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1880,i,18124512065382500782,10518897371820600180,131072 /prefetch:8
3⤵
PID:5980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1880,i,18124512065382500782,10518897371820600180,131072 /prefetch:8
3⤵
PID:5996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1880,i,18124512065382500782,10518897371820600180,131072 /prefetch:8
3⤵
PID:5848

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:6044

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a4,0x29c,0x2a0,0x298,0x2a8,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5484

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2800

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1880,i,18124512065382500782,10518897371820600180,131072 /prefetch:8
3⤵
PID:5536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1880,i,18124512065382500782,10518897371820600180,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3556

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1764

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:752

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3696

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2804

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:540

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1780

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1180

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4836

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:432

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3696

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3724

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5292

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5396

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5520

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5648

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5416

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
0e54aacc44143fbaec859edfaea002cf

SHA1
6157f108b25e0cb2cb1061b76a1633c665033aee

SHA256
81dc2ea98e8ee4ac6461403be3cfcb54349b1fc6da239e3518ca5bc190a17c1d

SHA512
8b3acc22b9395e168b0d2037ab2721b00d626afa2807406da95097fc74f1e0dce908c49c0032d87ba50ac1f9eafc1cf7ea66611ea6992f9aafe29f72293842d0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
3309b7fca3f67e5c2ce348df1dc73904

SHA1
824af5bb0750b2a73334012068c1172c8750c37c

SHA256
8b1969855c73368787dbf9327db8789bbaf89e22853ace3a5ec35e64b1f41d10

SHA512
c9fd68f61cf5c0bf4dce2c62212a2bda8669eefca4cc88368a32bd015e751894ebcbfbda401c8d7df912db04ae8dada999c5e8b22296691ef609332700f71b9a

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
25f35e78645cc3709cd3a02eaf2293d5

SHA1
af1cefa88c5ce7bb20a56d05dc2a725eab5aaea5

SHA256
ca9ab1e52eed1cebc6b9e1194f443ee24e3a2cd0f6845568b27f3282cffed682

SHA512
be806653da318edaa54425311ad2f8d020015d35adcc8495601def12178d074c70ac97b2fbd08eeb5537276397cd4720a5244b5826947855bd8dc38b0a2b99fb

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
75498af86707e144f02475cf3153ce79

SHA1
8bba260251963bcba76661b0e3a160b9bad30b5d

SHA256
7b8f91e5b4eedc7fa93bc01dc3d7e37a884b1fa38451f2222d8f0ae873b6cd98

SHA512
0d1604f940c1b42b497449af7b6516d36a5f59848e0a1cab3fb036dc801c53434f07789f1b15feadd17d6d07fe382f517c1f67b2a1248ce5b141192060d426c0

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
465b47f4d94edfb71824efff939d4a06

SHA1
6d7017fd7567b6409a23487ad47e0676f8c5ccb8

SHA256
77305d34843fa1b487889c729dc64c5ed9bef142b11d495324ea30182a444008

SHA512
0e7e621adea4db0af14663031829ad7e87c63caea67f915cdeef54c900a75bc32037a7d7d728b992388b8570e0bb1915ba3932f4b97be275b5c54064f3049d76

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.5MB

MD5
9721bcd8d21ab0c95e5730cfbcee97e0

SHA1
0da38bac394b1920cda2ab3e14501b3a17a70dac

SHA256
ae3c498db31afb1152e2878ab661396bf5b29e4c0ac9f914689a871082dae5b0

SHA512
7d222a51e8fff359343407c5bb747f2b19049bf1d816e327be1a221a4b2bc5a75e495ef43e1a9020bbb2d9097ac8f4c01c770b7ffe42ad929f6f231c267a273f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.8MB

MD5
7678de1129c1538d561ff2e236e3f8bc

SHA1
1174e01c1b8c4c8a7248cad6702984cabcdefb40

SHA256
6bb0d8c6c4097b502a0df69fc77ede832d7a9b2154d8b70efd86cebcbc282271

SHA512
e196c865fafca2e21ad783c6d409bf3690ee3f797dc1cdba27d32e6839133f261f1d8c8745034a30920827bd62360cf219e765e54f17a38e9e82c4ffb4ada9ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
10f8455f8947247bb31af346cf2b169a

SHA1
10a30b05a8eceff9c440d588f207927a7ec7b82b

SHA256
1e298cd2a0b3866f7c4a13abe720bf78e5e1c0849ae86e697fc30d7b6141374d

SHA512
97d11f7e70879f972edcd29dd34244f3a1295941665fda6ea597b8b126b2242689d5315d863bc5b13922dba88db1f0c1894e0a9e1a223c3e04038b20bac69603

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
e740af4db911ed8d97ad858f4b6ec2d1

SHA1
b21e02b2b3b779402d6770fca7fdb99a2a0d7d58

SHA256
25d575a61ac916c0606761af346a0b70bb6233c12dc59a2aaa20a99b788bbccd

SHA512
91bb61a465596d4779e31e14afab45d5c029d04b948d5cd0070d944cd9ee7909420abd1ac5b79a64df0375a24fa675e686eca1d1986fc538b8134c9de98a70f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
de8be5b6bae5a51ac8d5cb7985fd0377

SHA1
94a8cf1893ec33464c734a959dbba1f820e64ddb

SHA256
2019aafb75cd2c93ad500eac8178e0b16635bc81295b56db98951c592d86c3a3

SHA512
61e31a03899c75db62b71408fedcec73e12f6ee5c55d5701e43975e77def2335be3d1769f5bbde93914752013f7594f34f337de4575086d3c8835f2bd52feaa0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
2f51ef545f68ebadcaa2957ed41ed931

SHA1
694b81603aabedb04ead50c91bf96dcab0f60bb4

SHA256
3da30f4993bf36f32fbe6b0689cd7d947a10770aec5aa516da0fe47f4d1114eb

SHA512
3e0543e1e6bd556498ab47fb31c37bf5b261b7788fd35be7d634054a80729b977783f7cb8efc092b8f9a38285299797d715d9f2bbdca14c6484396e34989391c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
5e6787e30579e514e8e718be2eb6844a

SHA1
25e1601254cfc18b134697bb99fac87c5e8aaa05

SHA256
f80aba7308be05cc2ebbde399e6bd37bc5638138be2a70727d3e6f0de98a132b

SHA512
9ab8e721a030f1825decc0859615d99a92c06800478c341a13a83743230ae8f72f459cc9b25f9c4d0810a05f087ee1234a7cffcc23185b84f9aea9c942411164

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
9014541b3256296ff6a5b4fe62023e1e

SHA1
a1406fe176aa561faaef41edc018a5ed8fbb3567

SHA256
ca46ad456bf7c732dad0b0d1d5fcc6866a4fb3e036578c580a2d1f850c527fa9

SHA512
c35a1dbda31a95accac0180245dbc1f2d04e1ae99e1488b98fb44ea207f884d3d1b287a263f0894889c0300dbc4fd7d24ce55b14e41ffccb18d1f1713ef8d704

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.6MB

MD5
37aa83cf0df8f1693e38465229ef6828

SHA1
ea242fbec19d05dff2a7d76378e279fccd384db2

SHA256
4711b21566a97d1c14129f6976c14d99c4667a4c76cbd726e98872a52d9d1de2

SHA512
8cbbb7b79566d5bac3802c7e9a2c9420cc2048764268633a8f55e5e8b5641633698a48ae61eade38efb0a51b33fe861b67d52b471b690ecd7ffd0368f6cccdb8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
62fb4d50f518d31816ea8d023f2c2a86

SHA1
e457b7fea184e486c9466aa6d97339e90190b9d5

SHA256
b576592dbdd93deefe605de8473c0557d61fdfa5a267ddaa6eabc989b78a11a5

SHA512
9758171d88514cc143b546fb1d625b2686184ca149f75b0d187cdcaa312cdd49022fd8ed046527ac60de14a2b5f26088c52354bdfd456276811869d71315124f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
0e86be4e56a43153b5817fa649487125

SHA1
56f6fdff7d611cfe5bac209883a358cbe598d405

SHA256
24a765ffe6f74825befd54873ce638bfd04ea9e97d43ece120095808703b087e

SHA512
91e86b0dd3fb9d6dfa6853e941fc27415186876af5f4f864565906fc5a61d38025ea817088d2168c298f6fbafd5e95145d56e7d056ea6b2e2591fa018ab91e26

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\11376b25-57e0-4f00-b96c-818d13d4822c.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
b7680cd6e994e7f664799c0460fca4bf

SHA1
420f15a66d2a1465c0b9397fffb200abe38d683d

SHA256
99f9478fa2be45d9cc48a3dd23efd5bf728eec23f410e22bb0d2d062ceccd33b

SHA512
f34938275d70318f81750b1ad30c925157323d3a559ed7e9b104af58b343539db62d1432a8ce33b8b85afe484ae063e72ee496ac7d6ac9deae3158f873c7153e

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
3f272043d5a75f550a0e4f29e09b9ee8

SHA1
92fa973afee12dc6964c99e23347ec469a4d290a

SHA256
f8713980fbf063163e80f04252cee0538712dabe81ac8bb5fc71c82c1c05076b

SHA512
2edb5332689f7e61c05f90a3b1784bab37bda49426459c4b85d4e1f66bd73b0e6e1b5c390fcc86fd8825772d1b040de174037432e17b4d4572f4bda67d417092

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
ead5c5b65992ef68cf2eb90edd0f8846

SHA1
e23f95767614ce9830147ec6ba7b0b5ca18a8101

SHA256
be7c1faec23a46d25250554bdeb10d8f49b4fc3176004c914f34cd0c8caa990f

SHA512
043645f254ad57e33e6968a60ad645630ca980de7555b410631fbc597bdee7402e1f4b15e7d522537f01304ca08400fd58a69609a125e7440dfa3f1bb33d1077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
4673db95a93ee4c62d01285bfecbcfc0

SHA1
816d6f527b60532a680f2e35d5f0c50ec55c5c81

SHA256
8a580f5442c336b10f08932b6adaeaf1d41a5037b78ac5dbe0500fa3dc1b9127

SHA512
76b126b902ac9193b35757956371c778dd2eb5015cfd546867c9fc75af9ff02aef70d30508d37d2e147583bcd08f738e62e03aa1e9d84e5b547122e5850c71d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
d1c2d0a017183c0c6011c451bda5aa6a

SHA1
dba832b337d4947a29b37ccde8cb78c7e374895e

SHA256
8e78f8b92dbdf3f80146b4a8a41e4af7159c48d1436aae43eb4722e8dff969d8

SHA512
8800b81f1b0a5425876996f97a80ca7d0b7daea1f2f249e9cdcd8451851a7f2027e394a615c828a6bc7fb5e19eb6df18ffe1a9a12f942191bb49a5e402c2cd59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
f5e1b2d9718215c2617a689806e85e2d

SHA1
625e983772b550a1153963674689d0224110162f

SHA256
60bea493367367db830c7c2a5afd2b1e64b99213ee9c2f7850e0007ef522f84a

SHA512
8394a4599c25ddb95949c862abfc1048521c127ce14a6ff1cf0e2a3ccd018f4b69f47e9b825b77ae2a75fbc86088ed3a62d406553dc36e755cefe4e9f3fc301f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57a70d.TMP
Filesize
2KB

MD5
056cebe70ead07d8acc38f1ddd50556b

SHA1
906167b4de443ef14bb095ae8f196165c25d17e0

SHA256
bb4c89650137cd1ed35cc2299d77c4b282072dd0e43418272d06a04c82c3733b

SHA512
ba3fc43ac1e418b5c33910a18aa115755a4350b946b3a6589b77361b95f5f109973c3a072b4724ae9590f8ef2cdbe52ad0958be62d7d08ac46fd90dc3de00fe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
ef4d865e7972803f892f8de2e0bad314

SHA1
c55d8cb9ad21f2ba3bf06d2378abf658d1673322

SHA256
7a72677536af0564dbb3fa2e4797a0a6e780b056a4367a808caf9739346a3039

SHA512
f1280f8a89a47db062983b99306e95fdcfa08f09a3c274472d047713f4a702a9ded7e13ad4934c8c892424ca148dc7502366970322f6bdecacd3ad878bc8af63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
4d3ddf978b9072095f5d3ca727814a20

SHA1
52b259c29c67ec6563378dec0a9b8a62e35fc0f1

SHA256
75c175350681d06cf91868e580d1decf9fb614120e29dd8023f9005efbf94431

SHA512
7811d438204ff10293acf541479856eb333f4d334a8a222bda3fffe169049ef84ee23d48d610ccea40b13c6082462804f4aa21917acdb1ca938976db26c54f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
d21ea74bb05cb66177703c95b28b2115

SHA1
8f3d21a0aa69c9003a309d0513a7fe6bc8ca8ae1

SHA256
e3697db6694a126bbf1839867b850c4d83f0edb2ef2a60fe9030827fe650c511

SHA512
c05cf3d78a2d4ace964b1cbe873aef5ebe2676211959205a9b7dcd008d5fa297b76ecc17aa87820b1a214a89674e9240b8d0ea596e0073ee56c16933038bed46

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
892ee0086378b1fdff5c1823196d0d23

SHA1
3419f332ea585896fba848310680c26d573365a6

SHA256
7ea0c5d98d8cd4da569b4b100e57cc0a0208f710fd917cda2dfc760a214380e2

SHA512
7b1f0eced324fa508e06518dfd774ab3ee27b25846de31ab151152033304f747aa386c1583ebcd53eb1fe9c1cfc4b09296011efb7404e46ec159c549a2b5848e

Download Submit
C:\Users\Admin\AppData\Roaming\7b88ffa44a48edc7.bin
Filesize
12KB

MD5
d626e6878fe5423a2fd550d3ce5af6d6

SHA1
b0d5cf058b779ab6689423347b0886f93454acc1

SHA256
853bba07e44471e5e4566272d3a77d77db039340b05be2649c7890f84432fc53

SHA512
b531f29710ebc83b84ca11e2f5875ce646c3e9fb16466fd7af8d0623383230504275b41fc23d68e1fc290ec5dd517b00a591128fa1ee5e12b599ee4ca3a3adf2

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.5MB

MD5
1a94c9f64fdd71662fc6a4f7a6878eaa

SHA1
c04eaba7e5a58e995165c5588a0a14733857b808

SHA256
291cf98a8de9421511075051b0b6328937f7054a3308fbb0c5912f0b68201e31

SHA512
bb9acac2b282b9668389602ab26e141e095b7b69135afb675a68393a52ac94488f3dc5e70b5eb41515fae202688d93cec3b44bceaef8ca40a1e3891f78c86277

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
e7ac7395d62f7cd529c9e0b889e8a883

SHA1
060beaaed9e4f92455d90d7d52a125630b7de623

SHA256
b44eecd0161cb5836f5c234ad2bc7ccff51a2a11f1dc08711bc3979c714750db

SHA512
62a64fde5cf496db475885ea24bb3f2779dc2ecfbc0474d77092ec5ab979d0cff69ffdbb8c60bfa7d2405f0dc98292fabff0890f3a8ed4b4cb43a7c8897bd7cb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.6MB

MD5
608c4cb0169f1d2b10fa5c1d75b115c8

SHA1
d45ae314bfc15fcc6a745190ad1e358d695330cc

SHA256
937a9d9d5f61d9e794517b15bdf74c4b802e7241525f237e161afa9facc4322c

SHA512
5074bdf31b4ca14854861e61c541c57d7ff2231f886e3b98e9c8904355a71cc1a9bd48b960b8f3cb566a576772d1ab93b4428ecfad58adf7d4439f8e94287729

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
4d33937d6f1c31d80fe6df90f09766de

SHA1
72b465f4515cc7d804923f41ec28fec7b86ea7dd

SHA256
f599f99943a8dc575145550f1c1282a339717a8e40324c673e924fc711dc9f6e

SHA512
242b32747e0959a1d6b9ef1db006148ee2b90aa27334f329edcc4b2a984b22336c7883fbdd6b23fdf14b6cd00758c5bd83c34d74a0aff9559269c782b20961a5

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.5MB

MD5
330f9b7f1e64f656045133c23d22ae16

SHA1
c6a31e1f23f23ae5d7ed784945bfe84bd5825bb5

SHA256
921ca0e746266c1d1308ddf41b7cb3ac47dda58963e6c9808da208ba54c473c4

SHA512
91af4ab8ea8d2e3eaf47972ff9ef13987f8b3d4cc541d8049eef22906676ee520a5b41468b512376554f52869ce7c164ed144f2945dd156ebc0547b69e85e576

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.9MB

MD5
59f43ee2c0fe6758f07c16bcec80b947

SHA1
b089ec43c9705615958c98d13849e48f902d211a

SHA256
2a18688c8e903c48e847e9842c718c7f4a0254f15720f7321b27bd6089cc0d23

SHA512
d381d834f52bd6fee32c2df6f2e21fbe8a72762f552040dba34e62cb72917ab5b3bf34b38c741651c78fa712e5968f7f19c10d8fe7bb37e5aee5320205843ed0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.6MB

MD5
61ccf583e98606d549127bc2e8427adf

SHA1
c3b088d3c31faeb7a476b48a99e472bed0e09004

SHA256
74151c42acaf42f4ef3f0398862b5efedb39ee908b3b7d7f2d41f4f925f883af

SHA512
d400c2c1589840d3bf6f13ad2c3e5867f1a9b51ed39daa4faf2317fbeec4234ef4d7fd11d3ed9894eb7e3b4d294e357b69f68f3eb146f88304b27ec1c2d3279d

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
b7e829d0e45ddb587374c35cf8461c03

SHA1
17419308588527db7f7c81ec80a0f009cde7f562

SHA256
e89d48b14db97138f37626c1dea2d0ab090b28ce3e93db41d6fb07f5ba207d92

SHA512
d22480299897dc4d4a117a634c897518fff62dac7a35081573ae966e4d64943271672cd00b817f0e5d8e7f9775468ea3459577e6031c3974d059a6d20a688b7e

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
02bbccbbe2dfa51915a1a769b8af3089

SHA1
9de884ad2ec8a2b687154fe7b80d02ca0e96e0f5

SHA256
7ce90deabea677ef9d9ffdf0a77f814fdf2ec935bb634858036114a59803415d

SHA512
95385524e23789bd2b97be90286e6a68853d8d08a1b373a19b62f902a16c7738f74cd211a62ca1fa136afc84240607aa49e49f6ac701aad45e729141d9521216

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
eb5ecd501311e5a7592a724450e3d73e

SHA1
8ba7d427681991e93d49d2ff4be72b334af12cd2

SHA256
6536926a6a7b715f7631219765f02b6a3851fcd86d4d4effd4960ec571144ccc

SHA512
58fe92359c751ea249fbec2bbdd7d78a4ecd5a6dad60b623131db369c6b8baeb179e6a270b619e2205086ace4606fca20864b822b32e0d491c1553ecacc2b4e9

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.8MB

MD5
c240b06f81b440a716d69abb374a8de8

SHA1
b02ecb42afc8c6b71706a1c9436ac710830c6bc8

SHA256
f4abb81653904cc29d6736fad163cdcee628a663e3bdd6b1ff58038955876cd1

SHA512
4c108a31e745ec70c2030a434261f9dbf84eb54039659a85b217df6e3638a0a36897ca2e98011bca3a96c09bd1fc93dcdacbc0dc137ce2a5864d2e9e677aa38b

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
defa2a9d3cc1518525d8b69b89cad28d

SHA1
0ccdb798e8d274480af41e1f05e6293218521603

SHA256
9e1fa299e78763237262e29dccea0ed3dc56c7f84e406ec82175ac43fa60f628

SHA512
4beae4b6b036a640f3d29bdee27dbad713970c4c86cbad98770af24ad5f6d856fd0fbc8a611740cfec661f54d79c55c9bacf11e791d4536fc740c67c111f1a32

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.6MB

MD5
36f200d15fea1095cf69005de3e44b6c

SHA1
63eb09fa9ce1baedf5cf112ba97e8062084bfdc8

SHA256
90b04292cfb57c5e90fa49c0f1746d4d089c9605350f0136289c1bd34f3c0f8f

SHA512
8975556eb6639db694ed4a74d85da898cd43be9e009fff8cd7540f478c96e505715eb4db1ac2b76a6cd0d9c0b6904122bbadf3a17608eb60d07e110505ba078a

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.7MB

MD5
23cddcea3603020a1a586df883409693

SHA1
1d0e8e2ff9920caaf02f12fde381c96904005f5c

SHA256
4b939989e488ea9becb67a75100e82226d11c8f5be8a9f5bbae9d4f63463ab86

SHA512
0d3f3f872a645330146bfd6eff51468a958d0b163a789bc9ce612557cefc4bea66e97df8eebea912203421d6880d62beef78b79e14cda6d8d83accfbde664ceb

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.5MB

MD5
9082d491a7a2ed381586c46354affcbc

SHA1
ab964651d42c1f21897f5619581bc528b203f5a9

SHA256
18b4b5c6f8313a49cadd32ddff4bd3a078216ff02de71ee081591ee2d91740cc

SHA512
47f1d2139f5ee7c7c4f8e0675dd6a479d7b01857729ce41fe077373613e6b554cbb78d44ba0309214337c29b099f8c40c8007e1161d1d287587455b8056e9c64

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
61261f304e73a8de377f597ec4efcff8

SHA1
855854948fd8b277c24211f22e644656030fed72

SHA256
3b052ea25186d176a623bbedce6bd6de858fdda5cd4d89846eb67a7ca233e9c5

SHA512
61274aca7c5d16ecda2de0f2408f700b0453f1249996142535462e737d2cd9d2b4ae0579a2131c9aede1fd14fcb7c9f409820bd117d9a6ef798be25c921fd733

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.7MB

MD5
03c992c354945b225711365eca8385a7

SHA1
7eac956a6d24fa1aeef45ed7d9b26f4a21489c79

SHA256
c98b774359905f35fc636ff119dfed7e6f342ebd1de44e20d40b569a3196359a

SHA512
bcdda76c47556b879394694dba42894ee6fae3fd57acd33eb1c3a2d007118b8d40e07810a02d5a68fd99ee0e3380ab929414c3aa04665cfce32c8d1f37c20680

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
e9a89caf25a90afde48121937f06e737

SHA1
f856b560e60d0892fdb5f0586f15edbdfb87b605

SHA256
e56b25909e11d0618563c47d3cb30229ff819595e51fd5b3746bfd4cc3251746

SHA512
b4d9cc73ede40a2ac9578e8d70a1aec7def723492941d8c71a96e2faca154880b61750cef38bf4b2a2192200ec3277f447fcf66c72ae517fdb25a6b0062746f4

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
295c35172675c56d85b3271fc5adbaf7

SHA1
fc8f7052aa2fdfb84e7cb6bf027db403bcb8cdf0

SHA256
f022aa4752d0400339634741871e82f3bb6e1dc719e1ffe9b3987e457c01bdc0

SHA512
15813f64afc1d8f3fb24db561e3b68c8efcdfe45dd0768d53f85b32e72352c0f22240b9f4156dfa8feb88fde664025c75d3fe6594c957aa961fc010496f8548a

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
a9c9373f0e35dda0ab013f1602835b75

SHA1
0b4fb6f30e22b39a71aee323ba4716271b18fa87

SHA256
aff623543b814e49217bba9d33490e5b09f1d2f0ee54ebe8ab8ad5595b246fe4

SHA512
3082ddf4c7fa0cd830ec919c3985f9f95d832176b172609b871ba8a36b43b7332af0d51473d61957d424ff35421506ab73923d5cbd423afa2fe61cd227f46b9e

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.8MB

MD5
577194384ed2f483503ca5d74765f2d4

SHA1
0fe695c0cd1026a4eb11a1511793bff59318c650

SHA256
3e88cc35bbb7709febd3a0b500eb6f125a43b20835f781cdd61407d565b0fdc9

SHA512
5814c6acbadfc5012a5eddad861921d1ef8d0ec1d0886e59fbf62fd40c3d6d5ee85f49cd3d7f77305300a442ae9a69f05f93c41f855d93f242e65564a8f1078e

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.6MB

MD5
af8c08cde7b31b0d11e86424e73d5811

SHA1
30836e871f045d4ef8ca961d71c44ad3e83a1daf

SHA256
b9281e3ce87782508dff9649153189e63c535aed96ed5787db3601b61923683c

SHA512
cb1131720a8f341e9df0c7fa93b3e59c8900646e796e60a492f046d40a43f2d2fe167d786a1cab672ad35a45eb82829ee03a9b7058c4695c6a32c3bf11de9d46

Download Submit
\??\pipe\crashpad_5020_TBQKTWOQQXOAIIMK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/368-18-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/368-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/368-25-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/368-28-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/368-7-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/432-200-0x0000000140000000-0x000000014027F000-memory.dmp

Filesize
2.5MB

Download
memory/432-504-0x0000000140000000-0x000000014027F000-memory.dmp

Filesize
2.5MB

Download
memory/540-105-0x0000000140000000-0x00000001402B8000-memory.dmp

Filesize
2.7MB

Download
memory/540-93-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/900-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/900-56-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/900-62-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/900-90-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/900-88-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1180-126-0x0000000140000000-0x00000001402B8000-memory.dmp

Filesize
2.7MB

Download
memory/1180-288-0x0000000140000000-0x00000001402B8000-memory.dmp

Filesize
2.7MB

Download
memory/1608-172-0x0000000140000000-0x000000014027E000-memory.dmp

Filesize
2.5MB

Download
memory/1608-331-0x0000000140000000-0x000000014027E000-memory.dmp

Filesize
2.5MB

Download
memory/1640-160-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1640-10-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/1640-19-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/1640-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1764-30-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1764-41-0x0000000140000000-0x0000000140293000-memory.dmp

Filesize
2.6MB

Download
memory/1764-171-0x0000000140000000-0x0000000140293000-memory.dmp

Filesize
2.6MB

Download
memory/1764-36-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1780-107-0x0000000140000000-0x00000001402A2000-memory.dmp

Filesize
2.6MB

Download
memory/1780-261-0x0000000140000000-0x00000001402A2000-memory.dmp

Filesize
2.6MB

Download
memory/2800-266-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2800-537-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2800-263-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2800-567-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2804-87-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2804-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2804-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2804-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2948-302-0x0000000140000000-0x0000000140294000-memory.dmp

Filesize
2.6MB

Download
memory/2948-137-0x0000000140000000-0x0000000140294000-memory.dmp

Filesize
2.6MB

Download
memory/3252-541-0x0000000140000000-0x00000001402EB000-memory.dmp

Filesize
2.9MB

Download
memory/3252-240-0x0000000140000000-0x00000001402EB000-memory.dmp

Filesize
2.9MB

Download
memory/3608-162-0x0000000000400000-0x0000000000680000-memory.dmp

Filesize
2.5MB

Download
memory/3696-211-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3696-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3696-517-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3696-75-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3696-73-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4008-187-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/4008-51-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/4008-52-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4008-45-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4572-250-0x0000000140000000-0x00000001402CB000-memory.dmp

Filesize
2.8MB

Download
memory/4572-608-0x0000000140000000-0x00000001402CB000-memory.dmp

Filesize
2.8MB

Download
memory/4836-643-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4836-490-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4836-188-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5200-289-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5292-654-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5292-298-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5332-697-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5332-542-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5396-303-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5396-659-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5484-696-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5484-514-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5520-662-0x0000000140000000-0x00000001402AF000-memory.dmp

Filesize
2.7MB

Download
memory/5520-332-0x0000000140000000-0x00000001402AF000-memory.dmp

Filesize
2.7MB

Download
memory/5648-663-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5648-334-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6044-502-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6044-578-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download