28c93deb36270cb08e80cae5722248b135951a3041e11dd4b8aa1828a4c1cef5

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
Size

5.3MB
MD5

499fae01b3b8e6076e712d001b7ae7d5
SHA1

b849843a762a1ba020fb961bbe6b935922317df3
SHA256

28c93deb36270cb08e80cae5722248b135951a3041e11dd4b8aa1828a4c1cef5
SHA512

f2fa54e3e9aef2381e5cb87d5d767e6b9fb3e4a80f8d9748f15e6194c4da79d7c85807d56e3f9404efba94325ffe40a287974917a0055b53cd7c41dc0f8a5691
SSDEEP

98304:SLXClnwPWrDSVYg5MHKO6HCfyAo77wRGpj3:ZlnwPihg+ByAo/F9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
2900	alg.exe
948	DiagnosticsHub.StandardCollector.Service.exe
840	fxssvc.exe
3376	elevation_service.exe
1160	elevation_service.exe
1096	maintenanceservice.exe
3968	msdtc.exe
3408	OSE.EXE
4496	PerceptionSimulationService.exe
3132	perfhost.exe
3196	locator.exe
2152	SensorDataService.exe
3944	snmptrap.exe
2928	spectrum.exe
3464	ssh-agent.exe
4700	TieringEngineService.exe
3500	AgentService.exe
2456	vds.exe
2812	vssvc.exe
4368	wbengine.exe
3240	WmiApSrv.exe
440	SearchIndexer.exe
5428	chrmstp.exe
5504	chrmstp.exe
5616	chrmstp.exe
5712	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7f0df5bf92be0f3e.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exeDiagnosticsHub.StandardCollector.Service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\java.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaws.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exeDiagnosticsHub.StandardCollector.Service.exe2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

chrome.exeSearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587919465464844"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e826f8478199da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f36ef4468199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb581f478199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3d2d7468199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b2f56478199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005833f9468199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

chrome.exe2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exeDiagnosticsHub.StandardCollector.Service.exechrome.exe

pid	process
5040	chrome.exe
5040	chrome.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
3092	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
948	DiagnosticsHub.StandardCollector.Service.exe
948	DiagnosticsHub.StandardCollector.Service.exe
948	DiagnosticsHub.StandardCollector.Service.exe
948	DiagnosticsHub.StandardCollector.Service.exe
948	DiagnosticsHub.StandardCollector.Service.exe
948	DiagnosticsHub.StandardCollector.Service.exe
948	DiagnosticsHub.StandardCollector.Service.exe
5300	chrome.exe
5300	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

5040 chrome.exe
5040 chrome.exe
5040 chrome.exe

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3220	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
Token: SeAuditPrivilege	840	fxssvc.exe
Token: SeRestorePrivilege	4700	TieringEngineService.exe
Token: SeManageVolumePrivilege	4700	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3500	AgentService.exe
Token: SeBackupPrivilege	2812	vssvc.exe
Token: SeRestorePrivilege	2812	vssvc.exe
Token: SeAuditPrivilege	2812	vssvc.exe
Token: SeBackupPrivilege	4368	wbengine.exe
Token: SeRestorePrivilege	4368	wbengine.exe
Token: SeSecurityPrivilege	4368	wbengine.exe
Token: 33	440	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

5040 chrome.exe
5040 chrome.exe
5040 chrome.exe
5616 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exechrome.exe

description	pid	process	target process
PID 3220 wrote to memory of 3092	3220	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
PID 3220 wrote to memory of 3092	3220	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
PID 3220 wrote to memory of 5040	3220	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe	chrome.exe
PID 3220 wrote to memory of 5040	3220	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe	chrome.exe
PID 5040 wrote to memory of 2400	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 2400	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 4676	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 1096	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 1096	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe
PID 5040 wrote to memory of 220	5040	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Local\Temp\2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.168 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140431148,0x140431158,0x140431168
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f158ab58,0x7ff9f158ab68,0x7ff9f158ab78
3⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1912,i,12761895717045470682,4938398912337201258,131072 /prefetch:2
3⤵
PID:4676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1912,i,12761895717045470682,4938398912337201258,131072 /prefetch:8
3⤵
PID:1096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1912,i,12761895717045470682,4938398912337201258,131072 /prefetch:8
3⤵
PID:220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1912,i,12761895717045470682,4938398912337201258,131072 /prefetch:1
3⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1912,i,12761895717045470682,4938398912337201258,131072 /prefetch:1
3⤵
PID:3616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4416 --field-trial-handle=1912,i,12761895717045470682,4938398912337201258,131072 /prefetch:1
3⤵
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1912,i,12761895717045470682,4938398912337201258,131072 /prefetch:8
3⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4616 --field-trial-handle=1912,i,12761895717045470682,4938398912337201258,131072 /prefetch:8
3⤵
PID:3368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4900 --field-trial-handle=1912,i,12761895717045470682,4938398912337201258,131072 /prefetch:8
3⤵
PID:5252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 --field-trial-handle=1912,i,12761895717045470682,4938398912337201258,131072 /prefetch:8
3⤵
PID:5300

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5428

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5504

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5616

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1912,i,12761895717045470682,4938398912337201258,131072 /prefetch:8
3⤵
PID:5520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2352 --field-trial-handle=1912,i,12761895717045470682,4938398912337201258,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5300

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:556

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1160

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1096

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3968

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3408

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4496

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3132

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2152

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2928

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3380

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3240

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4492

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:2796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
7b3abd78d0ead42e43ab6d1ea6cb8739

SHA1
c0190d7367964cc90eaf9e2f506fa1625b50e969

SHA256
f47a751525e4817b06e22e3131270d1fe2f62c9534b1f1a532601b49c246cebc

SHA512
169c5faf08f9ac0d3fbbcd08f6c0e99138f4d0980443c08ac5c6117842d00642331c1c46f2d14487ce2837f1b1138e34ceb14878aee89bff37983c9a5c0ed1b5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
c91351b1053425f01ab213f0716a8708

SHA1
6d0928b0beb65a6695ab367b2b178843054dced4

SHA256
89424c5d86d3f74e521dfcfbda1988e32162cccd102f278bbb7313b8f94c2abb

SHA512
0e020dfcbc20582301a61750eee46e8c41da3fea8fc27935f35331ec9d383ec642adb983c094145d809313feda3a5ef00aa2bde67eac6bfc9fa6f62e4741c2fa

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.8MB

MD5
b7d5529d9aa470553a8f9953a7d3f998

SHA1
28d2563200694044889f45dea9bfebb529ef14fb

SHA256
ee0e5a6b20c6d1334451c0ba9d01659a7df42304d4d0bc6545b3aaa75f8baacd

SHA512
062775b182b1a038f8eddecdbb50cf81d4034800f499a99a79b310cec8752aefb06bd6defc7c8cc5c2c250b1314664fffb487164d983079cf958b46806ffcca8

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
ef3c5ee01ff079ccee63166ffd2a8fa7

SHA1
943b374a7dfe91f557276ad0a83676b1e5198aeb

SHA256
95911143bc51e825532ddce4f7a0f642ca11fdec99c6c3b6084b0a2ec3d25d1a

SHA512
48a9ddc2b4e5ddfcce82a99dc9192ad9db5ca7c635714f7ad69ccaa96d5e649d435b754413928f2f766927ee855ac662f708c9f61ef9b611197bfc78da19c1cd

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
6b6827d1c7ff97ddec071b4a6e403c5f

SHA1
cc5960ec4d52ab4b9a8d6df14a7d2ea0ffd9efea

SHA256
26522420ee61a617c57e666a3c415b963ba78f123865661b6ec26825cdd2593e

SHA512
d4a354736d003f0c9a400389f6cbaed1cafd912cfda53a869cd467803b5ca68d1704e0327ac7d40b64d82a20ce807346ac2aeb6ddc41eb508c1585baa424a57a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.3MB

MD5
089db63b2486763c1ecab3e7d5aa6d5e

SHA1
15aa8e22dc3b3fc818670d7a7bce5b69978bf73e

SHA256
6346bd855c83f0acf2c37af52dcc1b3c489f8d9e123491d8c33b5d25ee9938d2

SHA512
71936130257564661db4e7baa72ca195c5e793dc898163c2081285d16ae39a28266b5a5a0e1e631fa45e09485c285252b42953dfd10afc7b13a63be54c00dc98

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
abf400bfac8875d9ed6e9d8e2997f44a

SHA1
cddd74b13167c7963c7c8230e7c36f244f00c5fc

SHA256
67e10f2efb9d5f49c393f4b1a5196cc4c35a1d18081ddc7166e7f66669b2078f

SHA512
ebff7b69087dc782dfe14d9a140cb9a02e06ee651ee84c122fe878e3b251e88956719b1161548ef0c5d42be149f9a2ccacd421d0c92abdddaa8a481523cc405b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
b960b5c66d5b264ffbb6290af58526cf

SHA1
7d137e85a6f7d62c60ab72ba54f461caf4f50088

SHA256
c2d30cadb442ff7fc156fe9fb3eed41af2d9f85fb5f7a6b8f6181f6ccc869f1f

SHA512
cb75f0088752947b6c77454ee2074999a47c93caab1ac9dd03bb9849eabd58e8553006d0f83e81f54b45900ae150ac152a1e79704c8b5ccc001fc0d028998ca4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.6MB

MD5
2c5956451840a5b28fd7984f5344c7e1

SHA1
81c66733e3eadf643296e5c5d8923c514ef37938

SHA256
4d0be4554f3dbd3116dc19b06355c575dca121de3ab23e723073c1532ce743a9

SHA512
0ec2796ff21d89d0404d08dda4cf98a2f384513d939046d2fc7adcafb9570ad32eedd64452a0dbe31161a90279161a403d9e732c4fc9803dc098898ac6224f3e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
4990b32e8eac98aeac5f0d29441bc0d7

SHA1
99aa44d4002a0651dac57c0a8a40543c5b68e9f4

SHA256
cbee176fd0c8e608a6be78924357a064f641c9c1b81b59482774e543b92e373a

SHA512
cbe5b1167a01a92355d6f2ced1d7a875ebade57c43ab6b768c287c30e231f959b4e6eb6be66cb1e65f5d8c5f65ef7e97982ecb59533ae58fb56666bca2ef2b8c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
18fba66267e9084d2fef4c3171e1738f

SHA1
56d78a5e9af536040e29caae8c761f42f9da72b0

SHA256
d4a6db24846cf4202f45270fcb625795b9d8c2e915480eedc6bcc16c160780ec

SHA512
cf5dbfcbcf4be173928a1f8e0ca9a55db6ad582f96488e2e6ac70e81246d33a83473a7d7414ccbf172564ca41ceedd8b96654013f73851fdd4a2809abe1eb80d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
06821dd03b2966a95ff8be756e42bfae

SHA1
7fd6fb514c90b44ed9544bbc0c3438424015c0c5

SHA256
06df366b101aa96d1ef5c8731e75e2d996ee2a682a4173aa09f4dd42fb9b3345

SHA512
910dd87477df0d2c72b092bdbfe71c3be8677884d928d4bdfcad5b730f0c8f4203194bb19fcab4e896afea1f0b884e757c060e56cbf68fd0b55536e8b89df143

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.5MB

MD5
c3176dfd07fda46287c69faf11c5bf8f

SHA1
fef22b3858b984e7e0605343339d6a53888a7efe

SHA256
9745f885203d0a1cc6ec0b9537dff606f7da1081a2679b081861fdbd738a6385

SHA512
c16e7012454498bc2b087be57e38d4d49db65bf6dd06ca0e93c83c8c3ee7c0e5d094477f76c992be318726c895cbda32e686cdf664b24848eb6863ec82a33472

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.4MB

MD5
bf394b38bb8ac010b04ce178ab8df945

SHA1
7ade868ea178a4b6d6ef6ff7209583c3f667bc3f

SHA256
b6349830ab9b5dbc6a08a99e6cdf091f6d211264bb7dd56517514cd94d63e866

SHA512
fe61eae723a4c294f2c24fa13c3b6b0a0b788148f123d78805bf57b6995c163504003536caba8382c4701e60788fe736655b2d251ee6870c71a8e4d0a08db951

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
e759bd839f3ea6a90d6441ac976215d3

SHA1
473ea203e404cb49e812e54d495fbdd253b91fa6

SHA256
baba238dcf5c0f3e4bf63eec1bf165f8a35db8c5b10ca6c8481b4584dbbad270

SHA512
ad15005ede91c4341057aec0045f00e7e59d274319668c88803e93d8062633bfa35765ef9477cebc7a1a7267895aa34bc230a6160866b9106630d91d5a482dcc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
61a39072da906afa08bf90b6cd076e4e

SHA1
3c95f9598ea8c8a3e497d957b1b8c1b37e1cd410

SHA256
62b2d4d931df9b9733d75df564b5b2d867bc55e5874dba68298fd3da8bf30eb3

SHA512
e69e738c90f31fbad79b224d5c6aa3a5213e981c0e42c7034f55abff08784af24348f8962c67e366456eb676f5c3ab81d5ee44ad5f984949a8534ca0642a9a30

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\e9d7f8eb-1503-47c2-a004-9fe661b7e87e.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
3f76dca14de8e131ba760fbdedc7f507

SHA1
dc6623db9bde1015caae1745234017cb426ce763

SHA256
667b6b794f8d2bf7178dda040420befb749ce72be78d4cbefc2cbb8aac0bea02

SHA512
b2c872b1e1a6c37a734c264a1b1ba9c905699a3f593bce49469f9f648cb30fe3e07d8b30c9fa6d00b691b461686776266d859968135ec88e8ffc83d3610471ac

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.4MB

MD5
e59d5a10c584038c19b4de7a6aa93ea8

SHA1
92e17af4c762358c833804477e82532404a06df9

SHA256
fd7c4d26f582d03b44f2dca93813ed51562b3baf7675e437dc9da26b7ac93eed

SHA512
18f0ab9c021389cd62570452d2ec3e1f382495e5872597278657209f15f59f38e1d057aab6614ae5ad8ca162b1bd0b510874a61e3fb65ef1a7baa93d94ed8379

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
6123155f7b8a202460ac1407e231fbf4

SHA1
13121f6000a380f6621bcb8dc7c83f9cd10ab626

SHA256
dc3766fd1d9f14e305d5483a9e886548c3ff3ad2d8497e26a04c6d8c31e7be6c

SHA512
ef2e48a3517f58cf068d2ed9e202ba4d2a54afdccd4937c74b5c84d5c4fd47d9b92ddcf3b842a102b426dccae53ab3bc9e571a5cf27cb315be4dc58bdaad34cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
46cde2ff725a189159a945c1a9e71463

SHA1
39b08f19254838a62894012deb19b16b48689fa3

SHA256
3b01574ff14b4561be536cfcb836fb59de8f88013a95f17b9ad96914db9d0e14

SHA512
3be32f24dde09ddc9d76379fe0fb39a6429d38e349b621915f2d47ce166fd579f62310731b04585edc90162e470c24983255d48169584f5bc5d857bf143042b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
99d9dded7bab3642e8fed15ad6baf28e

SHA1
006912f54c104b8bd3e7a4ba12bb59c1a215b6b0

SHA256
ecd6e3adef617a80d48ad4090d47cf454a8f3860cd6f4b30ffc5ef30a6301f8b

SHA512
e733895fb2f9b742bf2184c772ef4a2da1082f4bca733a9f8344d6881de2b72420f339ced63360ba16b3f115f5bdceeb6bbda95b7661f3f27e446ecb1c9bd469

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
5956d4d3fc315ae10ff09185fb05033e

SHA1
3ddd2b027ba7a072e942b990edaa7261f9eb141b

SHA256
7cfa419a1aa1b70b1c7ddc613c1cb81ca9989bb33d34cc7db59341ac9f8f03c4

SHA512
e5e77e19048b0816f81ee569162ebd56b9566349c629c1747bdb9d9958395c55f4b85f083d3b3f7a3fcab43bd860d43f87782d92a5ff9779bdec08e3d3ac8360

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57acda.TMP
Filesize
2KB

MD5
80c9ece824708be3255fd46fed4fa84b

SHA1
6ab10396c88f4760224c2820d198207c54f01266

SHA256
1f8af8464e8755fd26db7cc2bf44b59934126100a43b00a66da96ef4bac4e336

SHA512
c8e8c5ce9c0607264264ceb4ccddc869543fc5b9d3929ad42904cefd147938d6523ee61e5ed2f6f46fba1e6c92f8b6dc14300f4c6c7cfb295fe3274677d9ae2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
c8640cc95f662f55e9130790cf33c887

SHA1
9d4ca47cc94bc735f61962830c47c0456c796cd5

SHA256
1f32ce2995109337ac74c0ab6a8b0122e3c92dfc77674c96e463b4d7a3cbd88b

SHA512
a2a1237ffac016362ac1c167b07a9780d71030478d239a311bebc3be215c8616add5862a17a53930feada9834f77d9b1ab00a7c9b5634681d6a2aa7989005af6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
256KB

MD5
6c918dba351d337f04cdbfac69b02062

SHA1
f6648acdc89ddcdbaf5b3b283a24883a825e6c02

SHA256
ff05f8dec3624cde923d2f93b9c8f128f19c2c809c1f0bc30183cf2033e61b30

SHA512
44c6a020f0b76b237ffe9bc8e5297221abbd44a4bc694fdc7b49a4034e6fc2ca7bd95e6cd61290a9e1e703afd2debf205701ff0959579ca08a1b50cb4745705f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
9c8ec987d90e921d5f29083e2952b697

SHA1
f9d8d295cd400b8faa5da331e209f70e66732851

SHA256
8ec7d93b4e2120267d834659316028aeffe724e535e557b6babfe86aea17eff9

SHA512
3a8dfa029c62e9bf795b3cb594978eb7feed5bf5124f7b4f54b7419c641ff20afee674afb7373063d9cc3c1c5272196896118286ed3c7b793d599bfac4817ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
e18342b919b7a237476610302da6a994

SHA1
8c403bc1f51b743513decf60ae9c455a08c084a8

SHA256
3a39a7e40890828799e9fc04c9332c661bbb1ea9f4173877874e54a74a214afd

SHA512
48c605ab8e95934f3a937d236ce3e3e7570fc838dc9deabab058284d3a418675d52287b6663bbba57b700fe0b9f39188f4b40672860e5079b9c353f22fba74a7

Download Submit
C:\Users\Admin\AppData\Roaming\7f0df5bf92be0f3e.bin
Filesize
12KB

MD5
c1ef4ef9def1e45d6c2665af35303e72

SHA1
035d217bd7675977b06d0e1230f1e3abd71a2969

SHA256
d5e7d4623fbc76c7e06c6fd03fd854fcc0d99ead8c0998cc13b9c723d54e1760

SHA512
15ecf804c3e81987e44698aa628be63c4706dff0b0fd48420fd7d1b59fee79c59cec98432fc06982a9f41f5d84c90446d1637209e5b8b372c0e715a11a643acc

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.3MB

MD5
1c0bb689078a379a551c9d48a0ab747c

SHA1
162659649147a3527218a723b98ca8d4916ce1c9

SHA256
18e894dd27f4a7f347f161e7da9b9ba04cb152a778a78a1ebf0afcbf8812b9ad

SHA512
13a11d7e5ef2f7986f0e6cb48745e239fa4964f86bfede3043e11130f81aa9615a5531d27d9a9a6d25652603e4a7a36807a18918bb15ea6e8c6fc0d2c3a2d811

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
eb7d042cbdbfb1ca6896096f844f8a81

SHA1
abc366cb854671cdb1ad4e0f7fb4c48e8b34189e

SHA256
7c8d8386d3f76c55dbe30990b35b9ad4ccfa3fefbdc20738b455af4d716fd22e

SHA512
9730890741f5aec2293ea81443458a7a59ab4da14999f01c269a0f509a26f9f0e157c021b0b10ea5a846d9065eb948dc17bf22ca19254c8b76aafc02056ed692

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.4MB

MD5
5a0a68ab7755b40b9eaa941e0b2691b4

SHA1
97c892f842b30bd5a6f35bb6450c292cb41484f5

SHA256
b8c87335a1211a3623280179bf14f270686c8aac0ee5f22607b6e30629d99344

SHA512
dc5e9ed4f70acb6c2642d9190d16abbf4dae9ac43c98acd6e20af6bbbd70c3d99d716510aeea4b794d55f5d903f58d0eb01e168e89416a38139757f25b0ecce9

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
c3097ea9923c862aead4ebda302bdcd3

SHA1
b5b399858983fb3445428c98310e679ac1d2277f

SHA256
0080bf1fd421c4f0a41a8275ed98a137e95302ba618dc64614d21912caaf4325

SHA512
84ea0174838bd91d74195d377754b848878a1a06fba6155bdba5005275d83ee6e4d3014e528899ebac623087f5b8682f66b1a4cc6d13a4ab294d9123d3519fe0

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.3MB

MD5
bd40e85591eac13643c0a4b7c892e175

SHA1
e64af71eb03886607f7f4e34194a27143e19bac8

SHA256
275049e1111e5e83d2a1fa580cfda428d0a8f266696f9f211126affe940a2e23

SHA512
6c35b75d775f9de7d106f7d910593bb801d7272d34ed53d8c3983ea8fb19b12bd57f2148fe41d6714101a2a4119f979aa5ade21c4424fe182e91cfb0f0a91316

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
01e9dfa1029c24920fb1f9857c032fb7

SHA1
3edd094555b39364ee90ad9bbd7835c5accdf590

SHA256
52d10f41b14b7ab083a7ee3e43ffa404e75b4858c0f21315e37bdeac2edaedad

SHA512
e8bfc880d8b9792074ed757b8903f197bb5e0b7b63e27223aeebf607217b2227a5f3981d0d396c503930314a89ee7782925a08384401f241fb94da74757bc11d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.4MB

MD5
e069b3c8b519d6f4e6886298b4d1c116

SHA1
c8045aff2f6e5d98a421cc0925091b1333aa7e63

SHA256
36024fd80c2ffa4f6df7d4c43ed1a17d09add6a0dbc2ebdecc776b4b6c0170d7

SHA512
ad673f7c87f04df5bcdc4ab110c58ac10abec01dfa43e1a439549b0c912c7e295fc878ae8cdc6398db274a0f2e7ea06be11bf9c92d6caf64c8dc0ce2e741d99f

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
81f2e90b124c235c50d8b9ac2f3cbece

SHA1
25b3be8559dd5130ca808e9cbe6964e8a0e0a580

SHA256
1d5894b441252b75eb25b351a5c8916b6b89477cdd60f934bb8b2189df354365

SHA512
62ea349dec008d24bc287f6353967d634a9cb26e387afa37e333b2c490450a0ea5b6b9b7f1db90c73708d7c1046071bdce7e0587e659a5f6a74455d4e596b6e0

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
61291f1080eff58b5cf86651114e642e

SHA1
61842650a0c09f4b55268343df33fd8d23663b4d

SHA256
2cb026f5d08d957b376602ae4b00dcd221cd5d6659cc06c7d9dbb4cfe37e49a3

SHA512
605bdc9f43f101b391304b7bd9635a4d760bed6a1d487b07c07a2b143a01505c717cf5d43481044a57f8143452af48168f693e299d93b4cb3e5254283e10e567

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
ee21d1c17404806b97d54b4ae70a4517

SHA1
ee59b5081933ce2f45cc7f6a07c2073f6af11583

SHA256
bdcdefa08d4fbad581481c03efe7e662862f31ffd9b209143f6dadca3043a129

SHA512
d3b71a346f54361786dff15ab68af31e09a31763b29ab4825067474ed95d4d4d20dd1a74d77ed11ada5dc51c7cd45dd56db578be9c1fad7523c435dca3847518

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.6MB

MD5
d59675992aaa5019d14a5bf4cffab32b

SHA1
1344c1a623940f4f3579500e23f31e74626e0be0

SHA256
1893cfe0e6f14c83f81f38bcf781da373864ab20786a996ad4bb678a90cce93c

SHA512
7f917a116d602fe060f9a2dd9b5c0bc588116ad7a57f84f989a7e1db085d4a29e280dcbcc054944756c2235d5cdb8a4b15f09e20d557d416c82a0416a4f86ae4

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
6b66c4f8f96b9bcc1ab68e4d003aa238

SHA1
4d480686f969b98ab460d759dcbf824dc2585717

SHA256
e65ef78adbde5986664443e30238df59944cebea2b2738ef31645ded11e83a80

SHA512
c00371a75fc11e29e835ffc88e449c814c8fde1d0a6ea0f1a99b5c6a2cc98a3b2eeb955442170ae208f717d93b68553b988ab5d86d7aa8e5613bf13ae5715b06

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.4MB

MD5
703942904e6b2326d08fff18b2b74c63

SHA1
58a7283c6989b10166c31396283f79c5131b3dbf

SHA256
08f136b995f809be14d87880e3f150e3572e8c53ac7e98f441c70e19ecb37b1c

SHA512
b476b5227c6b3c295f501a267f7ab778dbfeb49ac9273e891d30fff590693d9e8cdee819c9773daf1bcd263910d963a2d73ae9c117f5e0dcf001d9b8908566ab

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
dd8b1065a5f6e11094852a1aad7a3919

SHA1
fd3e07ecb5f8831f19c57bb1c23686b77d9b40e2

SHA256
867f0575ba66bd65653bea037bb3651f2e105ab6dd41d6ef4f7c6be34d94dde4

SHA512
560ca26944f4c4747744dbbb57fe508d1fbf0e3f73691311df4e75bdd4c9f86d54ffa8357f7a99bccb7713363f91e5b3145bb03da67a69d612af68316468dc2b

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.3MB

MD5
996e7c4dc2e0a47d7a176aec9f93857a

SHA1
7ceb8b522f6fbf6203993fa68fc3d460a85c6618

SHA256
ecb646f9c05020a67f9229b8c80da35f71edf022cd0adb004d00b4adb6d22734

SHA512
5eb6284cd1a658430b573700a225f1e2e3a5db14aecb232099f430801f7d108d9dafb401283db0c9ba2f9602dc61311d4645b3235a94f962ed1c687f93d74830

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
63f8311d94eeb75c43acffc2c2d72b9d

SHA1
1056024c91d19f5b51e97640485f3c6fd5f85b33

SHA256
52127a857190ad7d1dd27a9138572d24f585cb15754e77c28772033a54ed2e2f

SHA512
a2b36fc3c18632c60fa805cf2808196b438950520d9377191ee878c4516ccfe0632deec2d85101c0c9df256d8bd69c36f3093871159e43795a63a40ee747db47

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.5MB

MD5
c28e3a9085743952a2c198fec05b7ebd

SHA1
504bc4f4bcc74b87bdefd24a9e54387fdc54363f

SHA256
e81fd3a6e54cd01f5036d0ccaced68577af945bedfcda0f3cbb6ac664ec16e12

SHA512
5900441434349c76dc9e74948f9e30a42837431e553d939c9936db91c0b9e944b9f64373c4661ef173c8fc2c88ca717bbfdfbca0d72543f68c03a0d61399c8ce

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
3a59c1ea3a87cb9128e560bc3bc22a48

SHA1
ec71252e11e14cc8d02048c77c26af2a3161de03

SHA256
5e89d9c8fd79468f72a07a3381d247b5406d873b0eb5e3acf841fc32b9a17a99

SHA512
618ab10ad5e84920c3b1e86a2846122a745815a99a106b6ed3003b0b8185e6f843baa34eee0971748a155558c49900efa6d09cdf6b1e41fa4cbf67646a03be1a

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
f8da1e3912337378c0f722f616cf6aaf

SHA1
22482c3e69a3b76d24d4e88d30e345654afd0338

SHA256
342768ee193e599905624366abf160660028ba384d57ae4da8734bc9473b010b

SHA512
b72adac4dc3ef8cd0c1275eaf376da652f8aa271a162aac1a54571f6f93c0e5fe9fec69a9cf380f84fa3ce438f06e3c9c2493a1d422f5d1bf4c46d6962ca9f47

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
c74ee5f5d276744652b9b028e86705d1

SHA1
3878961a159e0c551e4a0578376666af814c5ff5

SHA256
e6c64824ce35b028efe030f8e8dd57b642de058036c70df18fcac3ddc4734f3e

SHA512
2d01432c0392dcd198dd40280b47f2ad0aa51687896420878c188c8787463026ced3880f8ecbb62a58a06e2ca98735522393af522793b16acf2b876805db95f4

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.6MB

MD5
3fd98b022f71d8b6ed37c8eda2dd4728

SHA1
3535074b90a0ec14954f249ca1aadf46d1f357bd

SHA256
c0edfdb1b4ed4bff54460563710b76c9efefe4b673fd27693ff27a65461c6ec7

SHA512
2bb1d05554a8aa4ed3bbd5dd0c5ff1173230450ad609532aacbfad3cba3292488daaaba0802310a3c3ace705eae934e2b3c666803cab2ac4ef2875850d3b653a

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.3MB

MD5
9aa217d6bf95e768e2f76f88cdc6f00a

SHA1
78441d9935134f176ae47a3ca824198d21e45e0f

SHA256
7abd957912b74647cf7ccc167997e7922e6ebeb885b02dac2d3bb73c6e34821c

SHA512
e399a31866aae0515b2bf99ef89157dc8ebf0a27af5e7b807a40eb476cd4a94940747c65ce8f81ff0ec5b99bd9abf15401dc270977f9eef6387d6cd3e550e745

Download Submit
\??\pipe\crashpad_5040_PUXBPHWERJCHOVQJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/440-704-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/440-260-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/840-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/840-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/948-41-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/948-35-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/948-43-0x0000000140000000-0x000000014021A000-memory.dmp

Filesize
2.1MB

Download
memory/1096-84-0x0000000140000000-0x0000000140240000-memory.dmp

Filesize
2.2MB

Download
memory/1096-82-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1096-72-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1096-78-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1160-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1160-216-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1160-702-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1160-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2152-239-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2152-670-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2456-250-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2812-251-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2900-671-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/2900-31-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/2928-241-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3092-605-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/3092-20-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/3092-17-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3092-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3132-227-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/3196-228-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/3220-8-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/3220-29-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/3220-6-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/3220-25-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/3220-0-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/3240-703-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3240-259-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3376-49-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3376-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3376-55-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3376-360-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3408-95-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3408-89-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3408-223-0x0000000140000000-0x0000000140240000-memory.dmp

Filesize
2.2MB

Download
memory/3464-242-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/3500-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3944-240-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/3968-217-0x0000000140000000-0x000000014022A000-memory.dmp

Filesize
2.2MB

Download
memory/4368-258-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4496-99-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/4496-226-0x0000000140000000-0x000000014021C000-memory.dmp

Filesize
2.1MB

Download
memory/4700-249-0x0000000140000000-0x0000000140253000-memory.dmp

Filesize
2.3MB

Download
memory/5428-427-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5428-488-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5504-442-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5504-705-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5616-453-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5616-477-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5712-463-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5712-706-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download