f5929a7905ea4daf9e05ab3114de3983ab34f160cfde87ba4047470db050141a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
Size

5.5MB
MD5

4ddb7adb5769d9fb7a1301b9a79d3b74
SHA1

e804da75528785fe799721064472c14fd72c91ec
SHA256

f5929a7905ea4daf9e05ab3114de3983ab34f160cfde87ba4047470db050141a
SHA512

41c560d0a772849eea564be6f470a406c833a4d786218ad4a212ae378593b6baf42e82f808fa04eae130a326a4b67453e3e26bd5b35afcd22f601a10b24f3d88
SSDEEP

49152:TEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfI:PAI5pAdVJn9tbnR1VgBVmqlI7K2mF9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 25 IoCs

Processes:

alg.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4064	alg.exe
4036	fxssvc.exe
4712	elevation_service.exe
1864	elevation_service.exe
4492	maintenanceservice.exe
4208	msdtc.exe
1468	OSE.EXE
4472	PerceptionSimulationService.exe
3400	perfhost.exe
1000	locator.exe
3084	SensorDataService.exe
2148	snmptrap.exe
348	spectrum.exe
3720	ssh-agent.exe
4956	TieringEngineService.exe
4724	AgentService.exe
1648	vds.exe
1536	vssvc.exe
4816	wbengine.exe
4492	WmiApSrv.exe
1472	SearchIndexer.exe
5836	chrmstp.exe
5936	chrmstp.exe
6032	chrmstp.exe
5516	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 35 IoCs

Processes:

2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exealg.exe2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e048e2528beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\java.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaws.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052ed40d421aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e95205d421aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a4d81d421aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3c9dcd321aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000602bfed321aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610599144982802"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7a1f4d321aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067b245d421aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exechrome.exe

pid	process
4324	chrome.exe
4324	chrome.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
3872	chrome.exe
3872	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4324 chrome.exe
4324 chrome.exe
4324 chrome.exe

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exechrome.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3292	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
Token: SeTakeOwnershipPrivilege	1008	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
Token: SeAuditPrivilege	4036	fxssvc.exe
Token: SeRestorePrivilege	4956	TieringEngineService.exe
Token: SeManageVolumePrivilege	4956	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4724	AgentService.exe
Token: SeBackupPrivilege	1536	vssvc.exe
Token: SeRestorePrivilege	1536	vssvc.exe
Token: SeAuditPrivilege	1536	vssvc.exe
Token: SeBackupPrivilege	4816	wbengine.exe
Token: SeRestorePrivilege	4816	wbengine.exe
Token: SeSecurityPrivilege	4816	wbengine.exe
Token: SeShutdownPrivilege	4324	chrome.exe
Token: SeCreatePagefilePrivilege	4324	chrome.exe
Token: 33	1472	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1472	SearchIndexer.exe
Token: SeShutdownPrivilege	4324	chrome.exe
Token: SeCreatePagefilePrivilege	4324	chrome.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeShutdownPrivilege	4324	chrome.exe
Token: SeCreatePagefilePrivilege	4324	chrome.exe
Token: SeShutdownPrivilege	4324	chrome.exe
Token: SeCreatePagefilePrivilege	4324	chrome.exe
Token: SeShutdownPrivilege	4324	chrome.exe
Token: SeCreatePagefilePrivilege	4324	chrome.exe
Token: SeShutdownPrivilege	4324	chrome.exe
Token: SeCreatePagefilePrivilege	4324	chrome.exe
Token: SeShutdownPrivilege	4324	chrome.exe
Token: SeCreatePagefilePrivilege	4324	chrome.exe
Token: SeShutdownPrivilege	4324	chrome.exe
Token: SeCreatePagefilePrivilege	4324	chrome.exe
Token: SeShutdownPrivilege	4324	chrome.exe
Token: SeCreatePagefilePrivilege	4324	chrome.exe
Token: SeShutdownPrivilege	4324	chrome.exe
Token: SeCreatePagefilePrivilege	4324	chrome.exe
Token: SeShutdownPrivilege	4324	chrome.exe
Token: SeCreatePagefilePrivilege	4324	chrome.exe
Token: SeShutdownPrivilege	4324	chrome.exe
Token: SeCreatePagefilePrivilege	4324	chrome.exe
Token: SeShutdownPrivilege	4324	chrome.exe
Token: SeCreatePagefilePrivilege	4324	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4324 chrome.exe
4324 chrome.exe
4324 chrome.exe
6032 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exechrome.exe

description	pid	process	target process
PID 3292 wrote to memory of 1008	3292	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
PID 3292 wrote to memory of 1008	3292	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
PID 3292 wrote to memory of 4324	3292	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe	chrome.exe
PID 3292 wrote to memory of 4324	3292	2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe	chrome.exe
PID 4324 wrote to memory of 2252	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2252	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4696	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4200	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 4200	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe
PID 4324 wrote to memory of 2768	4324	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4ddb7adb5769d9fb7a1301b9a79d3b74_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a0,0x2d8,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa50eeab58,0x7ffa50eeab68,0x7ffa50eeab78
3⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1912,i,16589739399122328417,10537388042228222334,131072 /prefetch:2
3⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1912,i,16589739399122328417,10537388042228222334,131072 /prefetch:8
3⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=1912,i,16589739399122328417,10537388042228222334,131072 /prefetch:8
3⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1912,i,16589739399122328417,10537388042228222334,131072 /prefetch:1
3⤵
PID:1996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1912,i,16589739399122328417,10537388042228222334,131072 /prefetch:1
3⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4408 --field-trial-handle=1912,i,16589739399122328417,10537388042228222334,131072 /prefetch:1
3⤵
PID:5384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1912,i,16589739399122328417,10537388042228222334,131072 /prefetch:8
3⤵
PID:5484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1912,i,16589739399122328417,10537388042228222334,131072 /prefetch:8
3⤵
PID:5492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4860 --field-trial-handle=1912,i,16589739399122328417,10537388042228222334,131072 /prefetch:8
3⤵
PID:5528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1912,i,16589739399122328417,10537388042228222334,131072 /prefetch:8
3⤵
PID:5672

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5836

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5936

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6032

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 --field-trial-handle=1912,i,16589739399122328417,10537388042228222334,131072 /prefetch:8
3⤵
PID:5288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1912,i,16589739399122328417,10537388042228222334,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3872

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1156

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1864

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4208

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1468

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3400

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1000

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3084

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2148

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:348

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3720

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2156

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:6136

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
4df2d8cc47b6d7e58cf07dfae0e3bd83

SHA1
a7988fe7958485878544416cc393fadf55e3216e

SHA256
f2d1ced8a1592ac31662d081a2ef8e8afcf16248a4b2ce3a4c955591c24fbbc3

SHA512
bd627b159acdfde649e7c52fb1199e9f0130fd4dc8c77cfeb7470f6902c801ddec9c4f996c11acf1195224132ad8d1bad8074e37ce790477140716947b361c44

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
699e215786c00a8d24d244f56d7a8098

SHA1
03731f24db6ccf9c72d9c20ad5ea438ba3740579

SHA256
6c17593ae12ed616c23c47fcaf94a827fd70129de414113ad8a9847e6e48b91a

SHA512
ad149ba69e589b6172dce063198f8b3cba2eb82595548237ff0cd3e91ba54cad684bd85ec755a5b0586f7fddcf6ed1ee075513e6f03fbe466de37afb7c40ad0d

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
b1221d183582d37c91c9774a002235e6

SHA1
4cf8367964866959463ed6014d596f01640e378e

SHA256
97bc095905cd8d2d24e19c93c3b8bd9bacf3f4040389c3d8bbb7bb81010dc921

SHA512
b04898a0f11673a0ab02c212cc392906558b6fab02bfdcd95a532e70e7846e925fbc48c6aa60898e4e9255801535a34634e7e82777f0cfe319ae61706c5027c6

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
5a153a0edbf4b7d1108f345020623164

SHA1
a10d2c08ef9f9d43b9ddcf7516295aa676999cac

SHA256
467d712dcf2bef7bc69b5d6e7645a3121eb29b31b956a695725fe876a3d60f08

SHA512
d910cfa0cd895cf25febbfe2d25dcc4cdaa344351f228e78d1d96129117d1f9b4c9828d0ddbbf79c31357f6b20d254308066bb62fc16bc294542996183718e76

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
940e3eb4fbba0b38d19e514a11c69234

SHA1
d83c144cb58153339485a31d7d8b9cfc5e567483

SHA256
9ad5fa05cc65d30f9858e89db5b215515abd0a9f072f21b0342a6dd39df78a35

SHA512
019163aa1cb4d50d224249f0796b2e07ee00451b2d01ff11cc4cadcfc62873ea4705be29c1e02951e3e511d53954c5ba5f161289b1f87175e632d03aca19b129

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
b921e7cea906faa9d1ceba637255472f

SHA1
40315673d40bb6223f4f6dc498c9cbfddeab8111

SHA256
6fb6c260485ffd1a354e0d0fd72b4f0a03ceb2d9f1bf96ab162b4d808b8ad27d

SHA512
1e891554fdcbd108ea102d2424a2e8ddf6993fc4b9f7468a04c02cfee89c88936fbcf5c8e0b4ffadfdf7ad34b9708f4d77075e3f0d5ca70c228b515b28e83da1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
6ff51ad1fa1f7f38431303ddfa010d21

SHA1
8d78e6e6ae1b30ccb29c0d4fb89cba949c3bcfca

SHA256
e3be5a16d040792e6853a44a8b73f8e20a073f1e2538dd775d3562c47217948c

SHA512
a8d181b891f1373c0e0041f68cdd5db0d80e587ad662d2a23531720ad059325b16d27524a8fb41dd3fd6e1efbd05cbf0aa5366fd8e1a2df4706ccf0de061fd9d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
ed446dad41ba1c79acf43619de21a11c

SHA1
8de1026131ef297e90957241c7e0275845d92c2f

SHA256
07444936a98b10956ae505324218b21d7339739cef92243a5245d48b3bbbe44a

SHA512
330a7d1e636d31daa453d1ef3a0ac0cd99756164ffbad904bf682ff7cc50797fcbf417edaf64477d53d450eb27b20125812f1ae7e5cf12804494be2e80022e3d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
ec1d255a784dfd8d444f4e9a3c346b83

SHA1
90aa68ba6081cd73006bdb3ae9b0c110627a551d

SHA256
997f545a1da3340b1e10b0a28a648f72476850b415b06975f022ddf6dddeae60

SHA512
5da84c2a1a31538320f857306b618616c592e70f8b15aafca49990123cb2931ced11a1f4e1b6a85f5459700a5809ae5d080ea3e33e92ab2d1a528cc8db6e78a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
8a12a8de4f94b733800d82fec5ff977d

SHA1
42825051715fc66b684527db119dce21515bc9fe

SHA256
b07df18b48b7973adc204c65bb7eebf2ca718c153564cee9b145c7482e6db542

SHA512
cb6423260d7c8318ee9e208a1dfa9b2fb763f3f19e4f817e4fcc414a545ed855eaa632c8523d2ee7ded622fa1b89837949d3d3da01ce2f173396d70883b49579

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
ba5620129282aa7a6218c94eb1663603

SHA1
a9ec2c79f07fbf52f8d78f36556ba5ff49d4d957

SHA256
593b9855024646d4989a794271931ec42372957de64dc179e4f1354e0165fc41

SHA512
475c85134a8f67cda7bd4804b5a0d8b5ec0ae6ee69e682382c032d70f3566e55014ba3a7df052eda1f17b846be8fa1ea6c07a7a4ee90ff19b8ba6132ff172bd7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
cc9bf2eaf237b097d1aa4cd1e4f9e596

SHA1
f43e57fbba5edb8cce42f508a83614b69c16ab69

SHA256
d11877057362c62359122010f6b398b58236d76cdbee64759d8b53f3e0cd591e

SHA512
79c91a3a606c82c5ac3f281ffddf6d099b5d2da59031828da38d1b19a9505e6128f186d79a00081712856ef0e4737db1f3a17658a5a63232e802c964ec28e7d3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
416e1bd6b879bd67a0b6ff2ec8f64d01

SHA1
9a0d0a4b43c10b56bd345238f5d90daa39c71362

SHA256
95958b8fc45f7e4250da0003a27c788ed00edc3762d446269927712c290fe591

SHA512
39d4dba69167a6e4c0293882a2611827a57ee42c3ef1d8b60139f80c8f781745e1f6e3201845bfacd45ab9f836a4dce0fb9c3890bdb2d3e0d555a92ba21b972c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
3968cae65158d448a87885c354937072

SHA1
32b8f11e55659e36c6182998a43b52bd86f4ed84

SHA256
7b41ca3f3fd1b1daa49b678598572e0f4751b15194ae0e96fa4a9d39a1a9abf8

SHA512
8cb8dd70b9f0565116490d9bfae72900adc3c12da58b046d92863dae4b058600f603fb14152acf63df3dcc273fe62afadbb5a197df4fae1d70b0818a9d450ed0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
b47a6580f90987b9e82506a9c969eb50

SHA1
0f1d44e771bcb3377e4e985a6afa3606eade7a3b

SHA256
63c4274a36b521e4a4b9956b2ab0a15faef79e66b5494ee54307a323f37c02b0

SHA512
15555daed55b83c4673f0b12a35b2d42594fe9623e593ce67c791f4b1b6bec0b78624c7cd322bfa76261b75ed04f9e3cb19585eeecaad3d260f21c7dead5c5f6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
4745960e1716c82867a1f62bc8538c9a

SHA1
b6a2db480054423f06ce449a1cf8972998243768

SHA256
6cfd14c8ddb44b393f25ba612b318c3e706dabcfea847d2c86bb9b53a7222389

SHA512
61b3bed52551457c2ae4c662c11a291e52c67e0eeb3f33f326d81621c3da2c7cc534cbd5aae3c2237f593681cd3b327d2ac66a19c4c23967c65f3a6510c2c9f4

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\91ea120d-140c-4c1a-9b45-1be2c03b92cb.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
b248f3519fbbefdf40133d68ac21793a

SHA1
2c3b2c13526b11b9d04dda47f7dc829cf659b5ac

SHA256
5551652d1c0e1c5f65ea849484344cc8838c5eba979bac97ca4f4d54da23cd4d

SHA512
e53ad35ed3b9968c11a496b29e3fe7f652fa3539ec6c3a19416da9166b7ff93cd048d4f2aa5c8d824f6e72c93763e4d3af0b495665ce1f7ccc0aa303e14fc9ff

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
adeec86c1ad6f1523b5e9b821a0653b6

SHA1
ec1d51fc398f33896b50e5dc9e2328393c1b3ccb

SHA256
4d8526d08dd384e60e0e15169f880e6a238ad4c41c6b100c7688ed160157f377

SHA512
40892622611b802a5c223e20c9400f9460ec6ee103913ad3d008b2c0db2599b7027dd9729f8b2ab69cb1db09396a770db94718fce43146a91e4b2375cbc40c70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
90b8e3c077c7289cf4b7078243e26f76

SHA1
c8e3387c59c20fcff770b846e972a52f7f93591c

SHA256
001c51870a28710313d50d9037f261881517a384d3e502d9112b04ea2e8538a1

SHA512
4461003ce00d03608509d7ab645b933ec95c398623a1d8c6440c8a5b069d32e73aff391a1d3954511dfca7da698c0820970017b66629e3647800e5cc3920f1cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
f43075b0d65717e8910356e5f2a0643e

SHA1
6f78517a9d2d90ec947454fa5d66938f1fc9b02b

SHA256
958499968944fd5eeb9ba5dc2e46e5fe3698ba10308f503712b07f9415870c26

SHA512
0becbe5cca5118a15c2b1e210478e09f63dc1d6581f7e4c6f72b65b3ee08da3c4a1b9a5efedcfa6208b0088d09725d07fdfb1b591a5b87375afe381770059314

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
2238a3bba1ddd969304ceb24bc468528

SHA1
57f3942435c0b7497aae23fe668790ba79ca36cd

SHA256
bf412341bd7e33cab7b0aa1f546be13c5fd6a443926e7a13e1791edffabc7b2f

SHA512
3324410399accc848c2daec02f443295a0ffdf9af1c221d3a3a95642ec81e85dac90143679aac64e29752b0d44a1bbab42c037ee906b9b14e76dea3067f2b7d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
364d6692c4ff29fdaac61bbd70835cb1

SHA1
ab0ed5a902c8910e59126d0f9390a5e3e88768c9

SHA256
9a539efe9aa1b627ecda917d77977daf6040f14b2fe7f7111986460a26290db8

SHA512
f636977b14cd688d4e10b848c00d2551d129f8c27026715adf4dc8eaf667178570e99e0c9d93f4eb63723a73f593d353302d532bf7102adbfa823e0323fc2791

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576a81.TMP
Filesize
2KB

MD5
2439032641f0c53dcd64320bfa02af0a

SHA1
a1820031d22a713be8ff0a020783b7bc72860ae1

SHA256
13f018fd7e8d456a16ab52c9430b449ed2f126386dc10abb8d01ff752f92db72

SHA512
d9e02ab626313b138f721b369d987f45e68682f6cf2d76138195cedc75cea2237cf36677173a82672bf54ae9fe480b54f42c76af18e8e4c6cad76da85bc178d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
3b967b11efa77d489cb471a423744310

SHA1
127ede35b7faff93ff76c3b3e465c5903a8754d8

SHA256
3d82a94dfccf647661d577f8db9284bf4c1292ba965d8e1ddd1b2556f6072915

SHA512
b0898da79159f1e7babab8f93fb9171fd996d339ac06627f43ae92461dd7bda5cf0fd673ad84e33fcc519e1084354c1a1835e4ad79b88de158e5ccb77dba54a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
8a56fb4c1c361afb2a2bd29588ba7350

SHA1
73c24447c143af1f30013d39ecc8123e68e1ce90

SHA256
045a7e2b4ebefc02def5a6d6fdfa385f8802cd84b1c7a5b90df887fc35831985

SHA512
27bd5b752aa04365028bbd1ab00c8830c7dd9f447b6230eb33479931aa9bbc3f28c47dc5c7e5304f9628cdaaa03f8e7e08b96412da7347d0a1237cd150f5b325

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
7b7544f13fc4e1e737a482f66093e5d9

SHA1
2ba64b48a82cc009b6709dab765271d546bb5f72

SHA256
634bf6648561d6aeac4cf666efe6b240ad589714c30ef5995cff9c1d09abdd09

SHA512
95f0ff55dc100cbba141ebf8813e45a46e04db3a1c699a9766ab0f0c39bfa1cb20335e53bae3b404a2491ddb62cc24d24af161a27232fc2c09a6ebef4b87fd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
69c0f636b21dbe3a48832612f3df35f6

SHA1
5dd8582456b2888a87417ddf0de155837138649c

SHA256
d19dc3734f6bff120ea1c3226546834e1a768e2478415520aca6fd87a4fc0715

SHA512
a42737312b828225558f5a19c4e710c6f9e52075f959b9375d530b7ec8e59fb4613a06c8b345596386a7f33f546146b75e2b1060766544722bf0cafadf3ad7e5

Download Submit
C:\Users\Admin\AppData\Roaming\e048e2528beeeac9.bin
Filesize
12KB

MD5
220305ad98b55726950ae899cf448bd1

SHA1
ae481ce193daa0a9d2a114e1d9f8ea84fe966fd2

SHA256
ff6f537501f39d2d56d54488c87ecfd65ef73422dda3bd24f486a99526cf3b54

SHA512
6d178e9ee2657d05f1502718849e0d90ae13dd84a2addbd9b78246e61d07f5286902925b363f1146140a384f575214905243965ecdb1e62bb75deb8e859fd9d3

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
59776c037f2ccbf03e926c29b8788c34

SHA1
0625bc72b51ae7b1211bff7ff505af882b36688f

SHA256
5f861f4e77832e7b91723ad09722f0848cd00b9a9ed843f4fba20d7078cb867c

SHA512
d2730cfe1811171b13683ca65dcefc6c144eae89e346d6e62353aa2585aa44ae8eb719a168c77355dddeff205c6a6810641411e79a01794aa16fa7434d597e4a

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
c0bde29abe7e2a0ad15d9b297cbcf733

SHA1
cb5614c0a3dfc7c139ceee41d44e9f8958464c74

SHA256
e5ea19246dba271f0f36f7472fe83bc5debd6d4d6a8387f46fdcb9430a7e4be2

SHA512
cbb231e5b019acea858f300b367f75ea5fb541c88cb17049e9ff363825335661821a07cdbd9ebda8f2f71078639dac16e73a0fea2ef2d0f7e068b751befad497

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
93c69164d1ef896decfbc93f871fdabf

SHA1
33481818e367cfb8aaf7070a80b22c683a997b68

SHA256
aff077b2942b8ceebad26bb32c22ae16c62feecbf0808bae73e725b35855fbc4

SHA512
cdbc6c7559c58779e559e09b707a1ab43f674bd5e64e9456f4dce7ace74595a66f392dc207e660b86ed375052b45d550b8e439415af7ecd243cae0bd6aae90eb

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
7a026d89166a2d58e6ef24787e08a4db

SHA1
d366c380d9a1929b7a61c6345bd5ed423094c066

SHA256
8d4ade7ccd05f6f05e5825dd0b2a617bc2350cbab9deff924178cbbb424370ac

SHA512
110a8d3f4c6c05eba9610cd295587fc4712c827bb8a398efcb7769d78883608172e46121a74ad858cd7794edadef538436e2f33ca9916190b35ea34434efec69

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
89741b266e06b9e1edb074d5dcfbb289

SHA1
a22e4b9d7af5c8c5f59a612ac57b6883300680bb

SHA256
e84e42dfb12005acb30c0a1fe57f0f41031ee43d1da198e9cb71fec3685842b8

SHA512
a0b462f05140b6870e8dfba8915e13792dbda9e0c9f228abc6e2ba98f7f01e3b765cf8db866dcc9fd07b006b156a2140340b45d37e5adc458418daec0c71e8b8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
df6b85f6651c8d46d85bd19ee6282305

SHA1
02673106c63b70edbc93a09be5743a111b6b826b

SHA256
ffc7464dec198fea79d6aff4c5bc0d8c2be4a3df6d7473ee1c5a80d0cbd0d125

SHA512
7d5fe6dac578db54f932bf50bcb138dcc4fef6672dab2d47ab8eeb861abc0c9edf0c3ac4694245b51ac1a60468cd20b9c237c24e4330182a6f2a1b6646153e11

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
4fe566d9fbb1e125261efa002305de9f

SHA1
7f356cfaa94fddf8b0c14570ec931fe270dc8b27

SHA256
199732137ed8f2dfef009f0a56ef83e38970625d598f6f889900b33d1a95ced5

SHA512
167d2777e7707d3fdbf94f9af3a2607a4bfde9d77e2cdc649752b89aec34eb2fffaab7b27a56cacb56ec63b81d8c2c88ed88eb9c24f3b46fa498907a55a57aab

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
5dcf7b56d1ef8c43a95caf7d48088de7

SHA1
b87dd43194c03ea45dcaadb52df58d1667fc5b00

SHA256
4356cda84c73ee6209c76bcabaf60d4329ae3fca2ff344c079ec6cf4312f69d5

SHA512
6f417f458a90833dc04ea933557f93030ced127dd7fb9e341a411c98b7d2f14b8127096929ee6c236e0eaf18d105f32913a5f89cb09baeb31a79ff16c70e4e94

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
21ae32c7d11e3decf7ed7ff3b4fcd09e

SHA1
9337605e9bbdf22e16e6e15de080f162bae6f09e

SHA256
e9aa6228fe00026a1fbdfb5cd5f844e38019aa08b56a85ec158f955f62fe2520

SHA512
2a485026e024d2bd06b5cadc4b0d5165f96280d32f9011f3a9f71c0b933d273d95bfc171a90bfb15a7b3d557829d9ed8f7bf96e16bb9ef4355425b615dad4bb4

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
e9f24d64e60b45e8329a4f024147883c

SHA1
12dc9b4851eef59aea35218f1cf812a40d2ca8f6

SHA256
9162c85a967cbf054480b5f925798dbebedad929744fcaa410bee31fda444ad4

SHA512
24f3c0b4c02e3def02856322e3672523b6dca420107253e45abb9c97318ccdc7333cdc3bbefe9bdeed8750841dd39e713f3fb6baf5bde2eae8aad1aa9b6f98ba

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
265b5d52efcfffecb18d6f090ec45f5a

SHA1
e6237cf5b051fcb34467b2a6f7db6f43fe6e8db6

SHA256
95a6794d60daa1c1ad063c08e4d02ceccc416fe419c7882dceacec3f572254c1

SHA512
04f9a8c196d1178f840965043462706b1a4f698c735094576b8b4e1585655274827cd71a8b6d64dc9578866932829fbe38099ed68f6f3fc27a963dcfe20569cd

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
df8d4cefe7ed3e773a93743c916ce398

SHA1
e34b63d5acf3fcd2ff3ddf8a6cac5bdff7063e7e

SHA256
13ae448103dbd5a7a32a89e167b36061cdd2f10f52844f893046c2a163e8e039

SHA512
9eda85081fdf62c112f7c81af58fecd883cc8e10bf522f1f37a984a9f2f1d8c3d3e2f790f85cc61056a68807e0966f1740493f56285c3d3e6112b9abce4fae2c

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
98589e05a93635c4bbfc01801a7c75da

SHA1
98dec172f2e72bc8547e7859771b927129e3e460

SHA256
394739e991513e856e80884b64b96c89ba9a62dd8b27985cc46f71f0f010d3df

SHA512
12ba714ad17504bd03e401ea8a6a3cbfa18c0eab4d357312d9b2d2c7286b47330b12acb940242b0faff61fd72f70dd9a365bb3ce125d599ee5a5ecef7ce0a62e

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
873bfac5fd08294c35327b79cae3af05

SHA1
27c8119134ebae6f08ade98a0f3046a15ad9d5e1

SHA256
fcb97545dfc391ad151083afab769f55734d5bed0c153591772586d7e6d2de87

SHA512
cd209e87175ba9380b0bf96045171bee69af3413b8f68e81e4d6b7d216e6b9f87470cd63841662aad970e1414364b37e50ca607e78807d5f9d71e134f847fa92

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
e5f2f2b106a714615d4c1965d13ca405

SHA1
654294494c5c1b6195f01ecfceb39bf7bd8495cf

SHA256
d19290acaf44c0e5ec74704806970a9be702a3dd917259d642926cf725aef4c0

SHA512
b4bbe6d76f944c6c713089213b138a3e05f6bb4b7589e70d4df2fce9e8a89f6aed78208b20468f181d85b9d2197e1f07d9a41b72c3e37fb50581412bfc54756e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
a0bccafc0086e54294c3ba4464a95245

SHA1
2d464414da21d8ca71c55611a946836adeda2053

SHA256
35c6231c95529498f2a4e572135d5face538c531ecf2c640183ea6b7d5df4360

SHA512
1d464b970d2e2b1fc3cfa1eba563a26ee1c31a605a4616010b47532757d759952fe08f8a0b507914777ff9f2b7d92ccf25d32a52a8122862549ad02bb9e903a5

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
e0606f71e69e5c1f1339608305868e92

SHA1
ce2e1cc31d26484dccee7cf4542d0ab17a114bcd

SHA256
ce7b669e8a2cfaf851b2b4b0835f3021bfe7082ab67bca127a77fe5aeebb31d5

SHA512
e59ad6b11495e56051b4990a56738608015bf14c201697677ec93f2aba7de4db2e9beaaa567bcbf4beeebdb6b624d07a6622a86649425ddf58b357858bf2d575

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
0a8c17e97526f751a8aa475e8c8b7983

SHA1
2cb070d16a547e867aca22af457f13c44c17d0e2

SHA256
81519c37e7b764606c063607c2fdc287f28845aed7cce899222c4f714f16f860

SHA512
40a71708d63ea949f7132ef01340b3202eb349119623aa849b0e103e4b7ddbea543ba7ebe98b255eb58e26ac050c09a1dde89327f31deaa77f483dcf16136593

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
e939445c26546a88517617d517c5637f

SHA1
8fb58b421b74bab8ca89a565f1771dd10a011977

SHA256
e94098e32e1ba3d2a8e0290ba21f72cd33ab805d0686e1e3013f538c89c78108

SHA512
a5792c592105a25d0767756fc2f42eae6c3f761b8b4dcadebb632942e4159c210a3f26499e93516e0e1d140e719e4792c05a042be5c65e1cf018a16eb4bd8c94

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
d94ee8fb44df6dcf48e99e7b72947995

SHA1
89068844b846eb67e0e0cb9474e6cde15e9f35ea

SHA256
b2ff4a14f48f6114d1488b998e3a3a95ae12dab7e23fa99c7f3584836e2d5425

SHA512
ae47b3c8bc696f8f462ca5dcb81e493ce031f54189d6fe9f0b15a501ea733e347f46f2b573f149fda74b8896f3a215aed416f5f744c422cc072638d7ab8122e5

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
6a09154afd711a5692384d11d2585007

SHA1
bd29bcff498ffb510dd9787b36ce1d4781865ba3

SHA256
994152dc22c486d3bde01bb71d1fb0f97b92f8f031c7a7923c90268a464152ba

SHA512
cb7d93f2eb7c61bb0d69ec97c06ed9c3bb9f96ef38f1565215b6942b8453e5d85b07363ef8ccac631831e00d5c5d9490281599aa02dd7272c61932608b0ea2e2

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
8c144557d6114807896676b5b3f49b57

SHA1
725918e731e77c95a77480304296a200fd7c0d35

SHA256
d9defc3273788513682a022061ab9d739727b6441aa59898ae3a33b3800e9e04

SHA512
88b7674483818f6f3d2b76aed26f9cb5bd309f6f7876591de05e2990c1c663dde049a7bcfca84a7d863ef90fd2e72a944649b22ff84bcab81ee752da08939a67

Download Submit
\??\pipe\crashpad_4324_GAPETFJSLZVYJTIR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/348-251-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1000-248-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1008-17-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/1008-514-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1008-11-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/1008-28-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1468-125-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1472-639-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1472-284-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1536-620-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1536-256-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1648-255-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1864-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1864-76-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1864-605-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1864-73-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2148-250-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3084-590-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3084-249-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3292-0-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/3292-41-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3292-36-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/3292-6-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/3292-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3400-247-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3720-252-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4036-94-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4036-45-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4036-51-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4036-53-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4036-92-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4064-20-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4064-26-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4064-31-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4064-519-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4208-126-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4208-95-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4472-127-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4492-84-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4492-622-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4492-90-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4492-88-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4492-78-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4492-259-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4712-64-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4712-62-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4712-56-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4712-333-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4724-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4816-621-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4816-257-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4956-253-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5516-691-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5516-554-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5836-579-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5836-517-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5936-690-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5936-520-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6032-566-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6032-532-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download