b46cce4d83f2d88c8c7245f77340d213b0f982cd2d3166c1c0a80887bd2bfb59

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
Size

5.5MB
MD5

7e73922f786592ba9aab2f81d2073039
SHA1

a4e9ff5caab221bbcff00dc1a8d9ecd7f9ccc424
SHA256

b46cce4d83f2d88c8c7245f77340d213b0f982cd2d3166c1c0a80887bd2bfb59
SHA512

5d9be091352a64b96ae0596fc873b9edfe85f295480a5f96bc920024a7ecd147262ea383d58cc029c431db80649a74e23aaae7ff268bb7dd2a60157fe951e7a9
SSDEEP

49152:YEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf2:2AI5pAdVJn9tbnR1VgBVmGpAhQ1CNvi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 25 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
1876	alg.exe
1696	DiagnosticsHub.StandardCollector.Service.exe
5052	elevation_service.exe
1840	elevation_service.exe
4980	maintenanceservice.exe
4540	msdtc.exe
2956	OSE.EXE
3560	PerceptionSimulationService.exe
4424	perfhost.exe
1892	locator.exe
3984	SensorDataService.exe
4516	snmptrap.exe
3220	spectrum.exe
1048	ssh-agent.exe
3960	TieringEngineService.exe
4228	AgentService.exe
4780	vds.exe
3836	vssvc.exe
4848	wbengine.exe
4384	WmiApSrv.exe
5064	SearchIndexer.exe
5760	chrmstp.exe
5912	chrmstp.exe
6016	chrmstp.exe
6104	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 34 IoCs

Processes:

2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\39a917ab1ed82f9f.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c53869622aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000902d029722aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610602494508893"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031671c9722aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000460fd49522aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eceefd9522aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000098dfb9522aeda01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

chrome.exe2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exeDiagnosticsHub.StandardCollector.Service.exechrome.exe

pid	process
5060	chrome.exe
5060	chrome.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
1696	DiagnosticsHub.StandardCollector.Service.exe
1696	DiagnosticsHub.StandardCollector.Service.exe
1696	DiagnosticsHub.StandardCollector.Service.exe
1696	DiagnosticsHub.StandardCollector.Service.exe
1696	DiagnosticsHub.StandardCollector.Service.exe
1696	DiagnosticsHub.StandardCollector.Service.exe
1696	DiagnosticsHub.StandardCollector.Service.exe
5200	chrome.exe
5200	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

5060 chrome.exe
5060 chrome.exe
5060 chrome.exe

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exechrome.exe2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4924	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
Token: SeRestorePrivilege	3960	TieringEngineService.exe
Token: SeManageVolumePrivilege	3960	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4228	AgentService.exe
Token: SeBackupPrivilege	3836	vssvc.exe
Token: SeRestorePrivilege	3836	vssvc.exe
Token: SeAuditPrivilege	3836	vssvc.exe
Token: SeBackupPrivilege	4848	wbengine.exe
Token: SeRestorePrivilege	4848	wbengine.exe
Token: SeSecurityPrivilege	4848	wbengine.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeDebugPrivilege	2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
Token: SeDebugPrivilege	2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
Token: SeDebugPrivilege	2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
Token: SeDebugPrivilege	2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
Token: SeDebugPrivilege	2852	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

5060 chrome.exe
5060 chrome.exe
5060 chrome.exe
6016 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exechrome.exe

description	pid	process	target process
PID 4924 wrote to memory of 2852	4924	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
PID 4924 wrote to memory of 2852	4924	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
PID 4924 wrote to memory of 5060	4924	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe	chrome.exe
PID 4924 wrote to memory of 5060	4924	2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe	chrome.exe
PID 5060 wrote to memory of 4428	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4428	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 3040	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 1572	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 1572	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe
PID 5060 wrote to memory of 4708	5060	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924

C:\Users\Admin\AppData\Local\Temp\2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_7e73922f786592ba9aab2f81d2073039_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x29c,0x2d4,0x2ec,0x2e4,0x2f0,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba879ab58,0x7ffba879ab68,0x7ffba879ab78
3⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1864,i,17806226274000271074,4596673361363600747,131072 /prefetch:2
3⤵
PID:3040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1864,i,17806226274000271074,4596673361363600747,131072 /prefetch:8
3⤵
PID:1572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1864,i,17806226274000271074,4596673361363600747,131072 /prefetch:8
3⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1864,i,17806226274000271074,4596673361363600747,131072 /prefetch:1
3⤵
PID:1968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1864,i,17806226274000271074,4596673361363600747,131072 /prefetch:1
3⤵
PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4252 --field-trial-handle=1864,i,17806226274000271074,4596673361363600747,131072 /prefetch:1
3⤵
PID:3160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4092 --field-trial-handle=1864,i,17806226274000271074,4596673361363600747,131072 /prefetch:8
3⤵
PID:5248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1864,i,17806226274000271074,4596673361363600747,131072 /prefetch:8
3⤵
PID:5260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4480 --field-trial-handle=1864,i,17806226274000271074,4596673361363600747,131072 /prefetch:8
3⤵
PID:5744

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5760

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5912

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6016

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:6104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1864,i,17806226274000271074,4596673361363600747,131072 /prefetch:8
3⤵
PID:3540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=1864,i,17806226274000271074,4596673361363600747,131072 /prefetch:8
3⤵
PID:5360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=740 --field-trial-handle=1864,i,17806226274000271074,4596673361363600747,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5200

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1696

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1840

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4980

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4540

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2956

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3560

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3984

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3220

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4872

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5064

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4352

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
64a820cd1316b4c36781ee28cc0f1be2

SHA1
0455122e6b14bbb4c023465ba38fb700cd3170ef

SHA256
c614b836cf089cc5cf49e4a3d6fe25456abba54c8acda0ed5642b6d74056ba8f

SHA512
fec0969fcdd13d6feb7d9e10cf9a19218031adfff7db5f241916efd9f577b223d3d2293805a113a05dcd8fd2a39fd2e595d39d63f19b91106bc4ded412d9b39a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
75671919e82dab5b31d3f7d8190ba82b

SHA1
880f9b4d05f00b4912cd4d2a09fb66f791f03b81

SHA256
a6d5004aaa48ee722dc00bad4c10f7c36e465a21f29ba7d0f22643cd6ba409ae

SHA512
ebac31f95da57b080425f70d40e553ef04de805c96cbc3ae31fc08ddf41a38d1175a42be1cacf36a38e1f01a63176edc35b93ee2b3fbb5838f2fd7e7bfba6a18

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
85eaeb4be24140a7aaa020ba2ae55a41

SHA1
6c02e563fa536c1575b522b8203c87db58679239

SHA256
7da98d21750fd319712e18375cf511cb05451f2b9330f44f8787e194a39e1283

SHA512
f4d18ca1edef033db60c951fa0d2ca175daab8b66c6df8b3e6b566bc7c3b3df3378a1c498b4de5600dac8a2ba18b2d2fb9fcfa0acc30c831be92349071e6ab12

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
736e2d0d92ab593f3cf1321a920c82cb

SHA1
ad51d57f0bf744d7cf77a83b34bb586022d8205e

SHA256
6858673f87d7fc542911a08b85b73d9568ad078dcd193259dce5fc4b6a93e57a

SHA512
ef8968f15ecb53ab7cdd906005d72fac88f14f3f48cabb32492e9fc13a1aa5cba86206a5b0f2e1c9beee2fb1afceed4df0227ede5ac9b469d4a9002cc1583d40

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
e75f622d3e2023a1dfa968ad9b29e78e

SHA1
24728009f0dec36a6537d12947dfe3a0ec8319e0

SHA256
92e39d692b67e70c2f03c59b60592016031b5dfff3dbe38a26067d7bde107093

SHA512
75cab41af8c9e1d1b5d0eee55cab9735e0e2f9336234a0b20269dd060a3cf4262dfec0d553351db9958eb12839511db5fdee27fd09a4cbaae39d79def62e4db5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
a1099667a3635de241d4a008e1fa5826

SHA1
7bccd2d00e32420fefd7e4ba5b32fc4ebf738a0a

SHA256
5067e1c287893537344c709e59803be14c31aa3963adc6e1a8e2570d66485f57

SHA512
f13621b07c433079938300daa8beaad7857ce07d1bbdfc6d5c7db3cedbf1c70cf845f302b9858dd6eb6a7fb8749ef01f32d73257356d1ade3e1190a33beaf762

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
a89876ccb33b68de11dbfee136df9302

SHA1
4a09ab8c6506146b6cfcbdb2cc4f1e5deb593cf9

SHA256
71c3bee60f384ff2e92c7cbfa65039cdb07d4d2cff0de5e19939d777e6abfcf9

SHA512
5c1fdee4dea38ef68d5e05a7f5f80ce830fbb608d7a9db9f2fa32b45af5186a59e5c8de18eead4f5e47111165bde14596c39f5fe868a805c1f8cefc6db1e1a80

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
6dbd28c834b852d1187319819262031c

SHA1
a7da5e0f256fa5658fbb67f9421b5b9ccd9cec4a

SHA256
b394bbf206c3fbbc3cf0aa6317ec7ef1e8147cfd1a1d5dca35f434f595c4af35

SHA512
3e1ede54764d35b718f5398f1bb45f2f73a6165cea4c048e0129b96255cc9f471a9af8d452403b54498049edd8f927848011213ca3ec6e404c6b685a2fe15dae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
f6a3e57217d6a9fd572a1ce8a76fbbb6

SHA1
72a349424b1df3b9742852448d184fcb15d1fffa

SHA256
1ca256646a387add9fa33072af9a7ab61942338a9f3b1fe16c7f684eaecdace3

SHA512
ebde14532c2ad2e2bfe215ccf4f920df925cadac45ef7ab05a60a602a2139504cc4f59bd42495a228072b11af3ed5a0dfc74e3572836770d65f0211ffadeeb80

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
f6700a08bf4b684fb0490d05b7af5bcf

SHA1
5ed9c434c1e30659f96e299d4af6271adf6bdebe

SHA256
f7fe23aa1b04817fc363453b4dfd06d46a184e5a8fbc9aa4c28b44b13b0d5f90

SHA512
722f96b0c21a0c4529588f57379f673704ed7fecbcceb1d48f5ebb0d51635a36e494ee6380d61b40145c045f661c6e2aacccc4c67c3d366ee864f3d1bb294a12

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
46ee88bf161f9ad35945658ed6550378

SHA1
a14491d8ad8311443bf376ea3cf039f3230ee624

SHA256
1d750eb251756735e050a53c662f26b0e820d91b1f01af479af2607c672b189a

SHA512
568fcd0c52460c8a79160cb441483766b06c6ad050088f23e8d1ad7b11b11b42774bb241dcdf49b005a0c9a6f3524f546de05469ffd3b6a403cff0db971b0a59

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
6291209026c74274dc76820db486a3ac

SHA1
98bc8cc1e9f5d8884fb5af2fc42b6e9e2b9ca284

SHA256
d695bb985039fc412a2b977d9fc22602c31bd1bbb4edd1a55f4aab25b73f3e2f

SHA512
d61165b7c5a0f16d3bf60623b1b44e7295dcad4745ee8d59d7250e755b4a15578919d7ad6ad415954ce4616a5614ce1ab93a9cf8cae82fc97b118932260c7453

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
a46ca0514adf317d78a4b2902e9c50ab

SHA1
1c92c6f49e36b02080e9b6a3c2914ade555ec13c

SHA256
7ff12e7a64b69651e2337955a630af4ee3da403cccbe555288b0719cc3541f4a

SHA512
1761a961f6d98769756f57d70e0d8c0bc9c92d6e404de987df541888f751292bfcd32f8238f0ae4d9098828eb1bae6f86c8cd93c699a6debc64f3e549e3ab32d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
af10b37e27fc32b6f1d2db8f4f9a4f58

SHA1
c91c6e02879dcd52195a94707064c8b7bee5dd93

SHA256
1bc5772aaf9fa6b9aafc6add2d1e3454be4dc3c487b14a6bedb3d158e76641bf

SHA512
e5816c39fe88dcead19b58205d80a8ed72f7b30da6c5b7397b5552be25dea56bb23046833f9b6503d873c65039aec5562cbe455e7ab970fb27876c13e7f8982f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
508ebf057c6cd4a11bde22087e768f05

SHA1
101c009cb84c16723ae556b017cc5a27ee010607

SHA256
bb3c07fa296080ea275dca5c29e85b5bfe93219a3b6b436b4a331a6bf4c76ae1

SHA512
c438d98474eabe495cf2b128036ecdf2a04ed9f4911419b197d40edf4a44f8ccdfe9b23491994e60f7e2c38ca2f31da8902770d4357526363b8a718c29f24ea4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
7f05e0aaffe779e7a18a9807099beff3

SHA1
1b5f4f1c09b3ff9fe1ad0793dd9eb4f733e65d35

SHA256
7ba112ff1e2c3d27690a910da580d2f34bbf4b59d182af87782061e3342a5974

SHA512
0da48fb2a5d40459e924a5993f7c3b6925895119c5f2fdd6e648853ae14ba05759c5cdf49721ab1152cc98c942e9dc45a464da79de717facf82fd7a5b9d3d5a7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
d6911e118973c30750f4bb25143f0a36

SHA1
bf2a967d78d7ee3321152ee899c3194c3fa84542

SHA256
52c77c5dae3966b72885e02dfd2ffe40450567c78fac11c7c9b06c825efed941

SHA512
b0811dd14d55261cc7ce5a5f2ae302aff191df9e19cd427c23d217d1546a6c7b06b63e73e54fc2833cd50f25d9019b3cd55c7ae6bc30d0588e88f42169481dcc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
cd099f95895b24a4783a888fb6fac909

SHA1
e6aefccc16d886faa6078a57f504b32b7e6055c9

SHA256
528b145fe01c12214213c5cd51267fb23ece474e24d6d458badb4638e5be7a18

SHA512
3c10e19d57911dec1a66cf34be6d1dc01db2566849c3f19201e169ad24d16f91f77cebcac1d5632423d0f3a26823e3b39bce33e0cfbded09e0ac112b5925e9db

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
a0656816de21e69b9d60d0023c3cdf0f

SHA1
46afd188a372d06c62cfe814b16aff44ce4c6191

SHA256
361146ad69a7896e499f81408721c00d928e2eb90f4ae40d02d192dc4e53ef03

SHA512
ced53df1adb1f580a543323519029e58b190808ab980d37a6544a68f9eca0a67e2469176b961ea782bdbdfc917fec667b15fa7c0d5ccd0b1af602e0cbdb0db5f

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
d5fbbf2cbeb6a15f03eb04d2ac8345e9

SHA1
ad4a1708f07c12991bd35f10c4c099185febc2a4

SHA256
889785741aa9683115c9fcf21099c94916cd55f2aca11f9f578ceec583d0d254

SHA512
1f82417da7265367188191ddcb1504859036f21112488cbb60f3527b74dfcf4439bd1f0fc0254bc3078ff89f5758423b9a37351bd22e37bfa5c7dadfc319aeae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
0cd429098412849541cb95afaf497de7

SHA1
34fcdc8c1708981ab8e69a9ccc50ab898d7f7df3

SHA256
d987cb1f82d1cfa20deebd5947b3ce1b9ae9ca25cb7df736727c507a3a17700a

SHA512
955809ff9150048d9b739222dfe4c1cc7b4f330cab2858b74ba1b8af8514f1d97268812c0ef81a3d926c9928fab845515a0fbd834a8dd1d0db39359001ce5f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\22f9114d-c031-4ce8-900b-325e87f6eecf.tmp
Filesize
16KB

MD5
2b77cf179d34748b1beac67714e82405

SHA1
d00773b9d45618283b05d2bb66cae74a93bdbc38

SHA256
dc03c5e88bfce8208f90fae379dfdc306b93340898d60e3c41e13b9ed072ec7d

SHA512
befe1fa2fb64f07faae30a7b39b37edfa198737e747ebdd99783e0c5b4f524f9cae36480b12f0e8d2aff647f83394e8e8029e5573b4a6f0d52f52c3c52380521

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
f1c112a1dfd9f0660d7b7c31502187bb

SHA1
a2207a881e97fc34a936745738369d708cc8ccc0

SHA256
9c3cf916e7225b836f9b9321e2dfe5b06e3304a34d5a76e32370534c53489133

SHA512
d472168d6808a2e9cd71a2ad0137e9089081931530093c674f584607aa7aa61ec88dcff3c7c9fae97a1cbcd44e0f36082ba58d64e16f9ada46dcd97d2755b1b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
0f13dd86e21715efcb4353d5227adaac

SHA1
3dca955cde9921ffa5bfd0a5ac013bd52564f0f1

SHA256
f970d99e70e9c890b971110046c7c74bc51aaebfd285a131c1a1d14d1077f335

SHA512
14e3a2d7070496f0c755be1193410728c50cedeef6ff16c3a9e405e498abdce345b82b485219abd25e3127ebf1425a7ce16bc7eecfa2b52c5a9698623608885b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
fe888e474996dc61facad5f42932ee1f

SHA1
8115d0ef23b184888e483df32741a549cce642ee

SHA256
a35be303788da82696fa2a21f02dd8f14b4765a0aa712784d89759b95bc17327

SHA512
f15b2ab5b62e6c6bff5d53434593f545584476c120c90007388a807aea1238041cce957886a43fe6f36ba58c509cd53a9f7f7d3a1e5b126c59a229517c4d3dce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578220.TMP
Filesize
2KB

MD5
411ac782e18a3f8947b5bbdc13773829

SHA1
d9a709bb6b79ade9df4024e8fb6e36190070bc21

SHA256
0217b1195d87db614149675e331d00b581206641c58f6c7cd8cadb92e718f8cb

SHA512
03cff6f4f72f375b34a35df614de1c0837ec423b3b232e5b863a2d85ccb2f2bc025d1954ae0ba9d117930a84e7fd1b44bc82b488e5acd58370c36e9c24717d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
7f8d572359991026b56ef9e09dd2b94d

SHA1
6e7f129946167c6f150c0f584556091a670b268d

SHA256
ca6ab3d3afd67672b0056a227eae47cd777322764827e2b9183f52ea39bccbe1

SHA512
1ffa71dcf6f44ac63bd7678af05c5e7eff1698e6390b9718809d828b45d4b2b9bf7643e3020b0d9c3485a089aace938be9c1040ca5ca366ebe7a245adc1d2792

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
960fe2a8f7a3e552edadedb1eaeebcd3

SHA1
8481837eea6c2aae4ca46c9d8b374d61a6f05c55

SHA256
ff1c340f4c38506efa50d0c7a79e049e511f69a18833d6d2984e417118420da9

SHA512
3caf51ee1a0d606a0d5a2cbee8ad70c20ab941531bda3d0b16cf8edf247cf2ab2e7c9009f9de99f5c106f4c523eb60bef2309ee9d9b1029fdbf7debfa91b4f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
5ec04e16b69e261e849a9a45c9ffcf54

SHA1
2675a83b51dd2091077da9a2021a64c314cf430e

SHA256
5b3f06668d20c9777aded5ce54ddfef347e3b2dd19bce87dc90c3ebafd4dcf8e

SHA512
014d306151e2cb8449f4eea5a1996c054fff0e5fc713adf23deac3144eb5b24029137a13f0b6db0df1faea11510e5e3e8713051a2adf7b24470396ce4007beca

Download Submit
C:\Users\Admin\AppData\Roaming\39a917ab1ed82f9f.bin
Filesize
12KB

MD5
5b2217647a7116a323817d1583f9d034

SHA1
a75b1eac078800ea2b60f867425a1a5ab52da9f5

SHA256
c5ab62c22f5c650c836359d9e050b911f0b3f674c23d6f366d79e83a06cd3221

SHA512
390e8aeed95d09571cbda128241639abe2f688a00f0b82e721698b552436377c58e5a6af4e5457bf18ed6b3592a60a006899c714d0a64127352043ebcc5f1ec6

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
80a9b6a7f1e6f6363a17d22f8c552c9c

SHA1
1610751c297eaf474cf585430c1d00fbb836ce88

SHA256
8da35784e7478cb3105acd33a37686301eb335862f508641b3fdc4043b5eafe9

SHA512
c0ee7984a4af478ffc0f4fc411ae583ab6615418533b019eabc8a818c0187f2b89fdf99530bb44bd51f375da8e4635dc50362571653a4ccbce4b0da74ccce98d

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
c7c8ca0488bd1fd51380696c1e084cd7

SHA1
024e8b88d9b6aed4e093bf1e77a04927872ce966

SHA256
7e23f96f0fa58af2b86081263fd6ad6df87c2a5e9497e4a9d65bf81142084d3e

SHA512
2a0427087078f1b8fc9629382d8a3a0551085c4251351e4d04042c0aae7ca08d6049b5869eba4ddc755be703fe8a3b32dbcc06c7d2f4fad9e3843d269701641e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
107d889567a3f3ad306d06919c424461

SHA1
4369e6c331ef03f4c057186b774f3a26d039d657

SHA256
ebd1b7bb29c854d002e16f24b5a260e748b78591775ac49161f447dfc8ce6d2c

SHA512
3141c01a20083f4a71b94190fe539ebf689598bbf5e773e9bc127fcc438b78b9ab66bbf284abf31fd6b6c572491177b644607d0adca2614d5f864187695932bd

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
f6ac27e335e0a44d1b8ed05abe476904

SHA1
6ef4619a82dac58f15108754fe9a23b6af3e5451

SHA256
0392a01ed5aa6395ff767e6ade7546409fde0756ba5b5050b1e997902f5eda84

SHA512
fc8c1c284b3d1336d479e320bc18c9e35ecefc060b5243d04caca4142425eb91358b7204dc94a4f0841e3663601688d82c5ebf69193e305396d43c6f13d4389e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
0825358dc68ad90dbf0c69bec0797733

SHA1
1f80cf3555901e9e5ac2857f7e6d9e3d315dd789

SHA256
fa10be4ce2f702f516290fcad3013efedbb413683219823984511bee1381476c

SHA512
8d9db44a534c68e6ed6d67b30ee2d4e41dc16f11763218bf05a30d0c764a0caff76585ae33c2fb7b6521a94f386c37684d9d4ce8154e1bad8ffbedff6f456e82

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
d1282329e4555d5a245adfecf25f80dd

SHA1
a5e921b0c93d490d48aa5bc8904d79afc982d6dd

SHA256
0a0df4e22f44903d788e315e3b57cf208d1cc24543bed0b9a48829128bf6f710

SHA512
0c54861d459a1d08f0c27c721865a4fd373112710b2ba9fdac9c9ce060cde878ee7c8c052857c6d901c2c0c7f81281f4e7b0b92a3af819ce57afca3d1ad9db4e

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
48f19b9dc7b6a7c8e50d07e23361afc2

SHA1
0746303ad859c19b8893e607a4d741c011825a2b

SHA256
feda457ebe83fd2f198ff386aef1c73a68ce69162b83290c98256f4d5240909f

SHA512
ed0a97ae6794a6dc0336d3d3a7743925770be1a98f72f6e8fee61aacb0c815f420a4b257ab98b1e3805dad378c44fd2964017fe8eb3e5562b726b156160fe45f

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
477875238164b61baad1f3a80865135d

SHA1
d1da66ae06bb368d0cf779bd10914c1ca89a4776

SHA256
139614a5ab690247ad63847fcfdbb2d40e156a0d69f8ca96d7ef0c803c394e20

SHA512
dc3ef173230f41d63e65a3512d72f28c3c81677366ea98956b188815c7dc17e2576c70d1503cbb10160bf0cc1d18919aa69d7071d8c2bae2a2fa2323fb987e9c

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
c856e11fddc1ba5f0f9dc7d8932e9b2a

SHA1
21772e260aaf7c0974747477fc3019711c01fd97

SHA256
517f815821b1cc4bf94994672fb20fb0082be3fb263ae0a7fddb4ee8e7b2ce75

SHA512
c9c78ac749d75bfa501c7e8dfd2cb20cdc89a9ef6922b221feaaa124e01eaeab0df434a70d91754fd9856a5a4b341bb60d4d23a493c1de968b47f51b66e89994

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
15c01cc95871f05ef0024b2b40d7b377

SHA1
ce1216f87d916157b0283c8eb0edc9a644e7853b

SHA256
59d47d36f519f072c652501fc093f0b89e0e7b4c33869ace5f6793bf20838686

SHA512
dbba489697aa54945c7c566adf8f2736a6a02864735e0ab3142674f19a59e57a5d9b05e78494265379c7c11419df8bfb3e9cf19ba6ad6c8950faab56dca1f2de

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
e58fbd596676e561730046d38ed98801

SHA1
1c2efa9b9097f6c8834377fcf2d6f3107d648e83

SHA256
805aee65712c1f4acf97380562d66abf40ba00262754675c904217fbd86efbcb

SHA512
ea275fa339d7a0f870a35d8a18347ef5e1ccb744487c5215579b819e776559c557d0e77bbf380094ec5be9491bbeee48bfceb493b48c2521a05f6272fc30c162

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
04dbb2c1d3f163cb44631e12c2db382c

SHA1
a7822ee80897ac083f873d5bb7acd9e289f137b8

SHA256
054a85df9565460211048d0019be3dead91b5f49bdc9925254b033611d1b4adf

SHA512
a3e1dbf5defd85c6794ad738cddeef41cd2182e8fcae57298465fdf7924a551e235805daa68371171016f3d33890e738576b6cc43026a187a5bd99308ba089bf

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
104f84f36a7b635576477c60eba5725d

SHA1
d467864d3bcee320be84d1a61cddaf675e8b0a32

SHA256
77e0bf177cc922c54a162bafe9d732671e4779b8b0d40d35dada1098ef7e80b0

SHA512
b7fb2af338b5cc441dcca4ba55ab3b224cd9f2b5e90794918b8c7b844e602b9455860f49727258d627de9c729d34c41f3ced5be6ba0187b3ea5c0f58f9adb18f

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
28a21d158dda902c3e0e559cf35cd222

SHA1
2616ce81550b02ac6432bab5ef0178c5185d75b2

SHA256
78101d90799138d697780c36844707da4791307758bb73a66abaaa4aed1707a6

SHA512
2e2be244290caba224db1ad21ed3356a663e412025c9805a42f8f26f118f85db94365276912852f6d373ae05777ea2aaecc48586e63adbb25e687e903a67521c

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
33ecefbc2e0f572a605c8b5f2b1c15d6

SHA1
6132cbb630b96f89898d868de9c2c4a9776a6a4f

SHA256
c6a7054b4f6c9b64c2597e007ed67e25839b2feaf10676962308be6426b609b9

SHA512
c66b0350c88db2e98e018ca2cf4dbfc67a6a6a3eeab9fa08922ee15ce65bea971c39d54974a5b646b998d9cc4508acb505cea8be22c6688e147bd1889de859d5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
9aa37fa53e9c238e7e709ccbf762ebf4

SHA1
5f62a7f4f96344d77c91ab4de9fbcbc6782bfc77

SHA256
d9e35be273b0737e987e2572864341953e526755767e72a95f3d4ed11e593118

SHA512
b1749577071bac8e7cc5765d136269fd43a1aa37648e51c14ba8c5e5657a40b70c82aaec7232ad07fb8aededd275b1af5b4650f2d0d942bb6d083c013368e6b2

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
7ba9c33eaf1bb37b2f33039538bdc4f0

SHA1
f05f4e5b04c2a10a36d8032abb3251d04fc9332f

SHA256
8caaeaf4f111eb60ef63fb9559e954481c3d717838237733b02e733e3acf0985

SHA512
4feb29e3198ecf96f188b26418511ee809fed9a04b309f1d9d77c4045f69375691b0d2c55d938d4b883c30b01ecf29ddf3e0e0b583e41d50c9a1bf581f302f5a

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
4d858969f9b63ec4e90b337affb40980

SHA1
c5f517b47ddc66cf8fe32495fe14e425f905c252

SHA256
d228412aca7296096c2db6c01dfe1e83ca0db6a7fc2512468473c94bbc3e50f9

SHA512
df058b39862395921f86ab56ac87eec0ed1adb201b988f3bae0fb037e14a1c33d842b7fac2354f0daabe15cf41c5b6757ed9971dc8237e7a5e9377314c6b972f

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
b636698c69eef3b3e12ca0ac3f4f60ca

SHA1
652624141ce53d652b8fa49daa6e86fe49f56fc5

SHA256
655e7ac2650fc546972818912e43520c325c264e9201f1efc816ac473d1f20e0

SHA512
f36984df22b19deedc99bfe4df744b16e4e7a7e9c837f328e72b5f26ad7fb86683b0412d73269018989e323b4012254ef745d3294c03550123cec873f6a5dfff

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
194a55b66af921fe9c506f415cf42fb7

SHA1
6942e9024d3cc64ae601e9d646ea67408b40b2b8

SHA256
1d2e8225a64f682a591b828c49741f13dd26ad75bcbcdc5b462a8222365b2ab3

SHA512
b2a2d23d172da9b466f9b490e0bff9c2b177c73465a91cdd96b75155f06c1ad9d22f33ed1bc20b372e05372ede17253bd3d8fc66b3f1b335aebcfa3be0222194

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
8505611d6d2c94449ca4c456f9835f5d

SHA1
47c5fb8208fbf9a029190f813c787f2af070620d

SHA256
77f196df705303ca6b7cf8efa71e9fa5ca88969142cd74bebaa7b3434439808e

SHA512
98fc2bc698ab771d65ec2cb38609ac808e99d90bf0e47064df89df2ed5f233d8e8d7a852c5fcb25affffd0f86b3bca7582e6108526780afa4669fcd732da79cf

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
7d7fa7550d0d41f9e5b6337c9a69d72d

SHA1
f658860dd0d603cdb2cbdf4b3af850d84f517346

SHA256
4fd165afdce5a285b14d5ebcdc6bf7bae6d0e8f7c9d9af0ce5094cad8a091c73

SHA512
934dd886d2e22de865f3f72f3deb30821ac711edc6aab08f1c1031cb3a3d0ee373c86e565f7a0ce6b219d2da562b98f9b089f5c5241bd695fda7e69ec8b1174e

Download Submit
\??\pipe\crashpad_5060_SUHBNZZPYBEKWQJA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1048-226-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1696-32-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1696-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1696-37-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1840-81-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1840-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1840-628-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1840-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1876-36-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1892-221-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2852-21-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/2852-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2852-406-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2852-12-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/2956-90-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2956-218-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2956-96-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3220-225-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3560-219-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3560-103-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/3836-233-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3960-231-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3984-222-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3984-455-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4228-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4384-235-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4384-631-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4424-220-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4516-223-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4540-217-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4780-232-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4848-234-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4924-0-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/4924-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4924-46-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4924-9-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/4924-38-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/4980-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4980-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4980-83-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4980-77-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4980-71-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/5052-317-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5052-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5052-48-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5052-54-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5064-632-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5064-236-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5760-393-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5760-448-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5912-633-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5912-403-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6016-441-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6016-416-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6104-634-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6104-431-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download