2f5e4aecd5b31a7ee554c83d28ef74bdcb59bdb4e8e3c78c867e7a09f0daa257

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
Size

5.5MB
MD5

5bf0c9dd22f9b161640ec143747c9349
SHA1

bc3bd885894680204a56985564bcb53fef7d6083
SHA256

2f5e4aecd5b31a7ee554c83d28ef74bdcb59bdb4e8e3c78c867e7a09f0daa257
SHA512

6b8fedf2f9275f8ea23fa48c4c0f9ce2e393fb391107caf4d77877ff412cb1681e46c729a22b77584011387758984cb983473f84276191f5f8b8d18c3d74e13e
SSDEEP

49152:REFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfi:VAI5pAdVJn9tbnR1VgBVm1h8AydV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
620	alg.exe
1932	DiagnosticsHub.StandardCollector.Service.exe
1556	fxssvc.exe
5092	elevation_service.exe
4252	elevation_service.exe
2624	maintenanceservice.exe
2780	msdtc.exe
4116	OSE.EXE
4800	PerceptionSimulationService.exe
2932	perfhost.exe
3792	locator.exe
2936	SensorDataService.exe
3580	snmptrap.exe
4484	spectrum.exe
3876	ssh-agent.exe
1228	TieringEngineService.exe
2948	AgentService.exe
4600	vds.exe
1476	vssvc.exe
2988	wbengine.exe
920	WmiApSrv.exe
4284	SearchIndexer.exe
5888	chrmstp.exe
5972	chrmstp.exe
6136	chrmstp.exe
5132	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2a87fd04b4b1389a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchIndexer.exeSearchFilterHost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7563f152aaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf1b44152aaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a65af152aaeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d0dd4142aaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ab941152aaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ea1aa152aaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b55be2142aaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0dac4152aaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f6fd6142aaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b90a12152aaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

chrome.exe2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exeDiagnosticsHub.StandardCollector.Service.exechrome.exe

pid	process
4184	chrome.exe
4184	chrome.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
1932	DiagnosticsHub.StandardCollector.Service.exe
1932	DiagnosticsHub.StandardCollector.Service.exe
1932	DiagnosticsHub.StandardCollector.Service.exe
1932	DiagnosticsHub.StandardCollector.Service.exe
1932	DiagnosticsHub.StandardCollector.Service.exe
1932	DiagnosticsHub.StandardCollector.Service.exe
1932	DiagnosticsHub.StandardCollector.Service.exe
4844	chrome.exe
4844	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4184 chrome.exe
4184 chrome.exe
4184 chrome.exe

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1564	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
Token: SeTakeOwnershipPrivilege	3496	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
Token: SeAuditPrivilege	1556	fxssvc.exe
Token: SeRestorePrivilege	1228	TieringEngineService.exe
Token: SeManageVolumePrivilege	1228	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2948	AgentService.exe
Token: SeBackupPrivilege	1476	vssvc.exe
Token: SeRestorePrivilege	1476	vssvc.exe
Token: SeAuditPrivilege	1476	vssvc.exe
Token: SeBackupPrivilege	2988	wbengine.exe
Token: SeRestorePrivilege	2988	wbengine.exe
Token: SeSecurityPrivilege	2988	wbengine.exe
Token: 33	4284	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4284	SearchIndexer.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4184 chrome.exe
4184 chrome.exe
4184 chrome.exe
6136 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exechrome.exe

description	pid	process	target process
PID 1564 wrote to memory of 3496	1564	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
PID 1564 wrote to memory of 3496	1564	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
PID 1564 wrote to memory of 4184	1564	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe	chrome.exe
PID 1564 wrote to memory of 4184	1564	2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe	chrome.exe
PID 4184 wrote to memory of 2776	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2776	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3456	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2748	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2748	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 3720	4184	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_5bf0c9dd22f9b161640ec143747c9349_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x2f0,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff824c3ab58,0x7ff824c3ab68,0x7ff824c3ab78
3⤵
PID:2776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1908,i,10782590208125966394,17515916969728417568,131072 /prefetch:2
3⤵
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1908,i,10782590208125966394,17515916969728417568,131072 /prefetch:8
3⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1908,i,10782590208125966394,17515916969728417568,131072 /prefetch:8
3⤵
PID:3720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1908,i,10782590208125966394,17515916969728417568,131072 /prefetch:1
3⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1908,i,10782590208125966394,17515916969728417568,131072 /prefetch:1
3⤵
PID:4216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1908,i,10782590208125966394,17515916969728417568,131072 /prefetch:1
3⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4428 --field-trial-handle=1908,i,10782590208125966394,17515916969728417568,131072 /prefetch:8
3⤵
PID:3632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1908,i,10782590208125966394,17515916969728417568,131072 /prefetch:8
3⤵
PID:5128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4756 --field-trial-handle=1908,i,10782590208125966394,17515916969728417568,131072 /prefetch:8
3⤵
PID:5540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1908,i,10782590208125966394,17515916969728417568,131072 /prefetch:8
3⤵
PID:5796

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5888

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5972

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6136

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1908,i,10782590208125966394,17515916969728417568,131072 /prefetch:8
3⤵
PID:6004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1896 --field-trial-handle=1908,i,10782590208125966394,17515916969728417568,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4844

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:620

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3860

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4252

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2780

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3792

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2936

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3580

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4484

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3688

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:920

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5468

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:5704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
203232f1c5dfed62858838981474e1d3

SHA1
c3d028e9c0a40808a55e845a8c44d531c8595b9a

SHA256
760bc2b696187362c37d10a15cbf8ec02c37afafed0589eea5d456ef37dbb855

SHA512
a16da897e09be6361b87548e5c7ecf1dc6c630733a97b090cf5ce7614aa5353383ab7bcf357365785f240ed52bbea75d09fe9c4e36ff14057ec0c5eeb3f7a6fa

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
7b56a7f51b13f0838d80d8621c2ef8b4

SHA1
6ca3838906c83c93547342d393ac453a3b709bff

SHA256
e4a92487c2e8ec415520171fcdca18e86c3396d05869efaf19b60d16cd5d09bb

SHA512
c008d7cfa1e36930735257e864267384d4ee65a09ef0d26aee237bcc8bb9ddf5a1a6e3f5ea45eba57cf97318b997b4d48e29feea15fc9c922bf5231be9801c33

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
b10c8941b2955807aca10711e189f02a

SHA1
e21439849dd2a6ad0e79b9dbc89594bba7a4c4a9

SHA256
6dd50366c3a48db49792e90d0c9b88416a2de76c17d6ac052771ade2832161ab

SHA512
31a976817356f565e108311f42e3c4f0dec9224cea1f2fe711273fa014809daac394b2aa67b0d10dc23a770a622af70a16cca8e6e04b361affa0f19056392198

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
201b8516eae3bd5d8c5b98b449080e4b

SHA1
9928dd0cc213b8a6eaf2bdc6d5d093f0e0c54a8d

SHA256
357b7a3342e86eae5ba52c18b6eaadd2ee85ec54adb519e9b7350c5b7dad0a68

SHA512
53bdd44c249bd51e68fc6151edcc1c3f0c3c21c26739227a020e71159d4f0f231f0adc9a6dc30ab80d9cf6b06dfbc987155393f8ba3a1d7be59d4a29311ad75a

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
5077efc9dca84459d51d115e79ab89a0

SHA1
1ea0087e66d9810afd14bd09fbe26c691e6005df

SHA256
84d6efb939930599091ef872de18bd73b48c7055f2ff7ea241992be8771404a3

SHA512
27951f760a218468fcef45c044734bc49765e807622d80e8a6b981606f603a0cb6acbe16d0cf7ca234d7b18d2409cd70f3538d2cfb097ace1ee545a434f845aa

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
074213c85e8d9cf32fd5adba113f5bd1

SHA1
9773eaed419e742422d7f036478078019303a183

SHA256
a86bc44a44fd2e502a7d5fae99013dbe86bb2a1034929f5b5e2700b1b8a894e5

SHA512
721e2c4915874507303133dbadcefa61c854cdb5114ae7a15eaa191948a4c69883b1526ea56b5d419900c54219d8f287a6a57405526c8b57d7f6247836abdd55

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
b374d7ef82fae78fb4ecaf78158699da

SHA1
d024af76d88cc4933d53b1829304d4f90e764e28

SHA256
a1f7d7094c0735c52c660323df5aacda286237366c563d7f1aedda1c9a31474a

SHA512
85b0b7ccf01c399bb8a5064010e62cff14c0ee62470d1f891785aa1b44d8481599f3bdf5c35adcc62202db835a935efb71561d29a9648e7bb2bbc1fa325c6dd7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
140826be86df8ba9240037f4a87a88de

SHA1
1ffae6881b7d0675c5e9f1a3f294397e99359279

SHA256
afc4dc0623a7da0198bf803cf7d8b39bbc36cca9252d0a62748ea0e45b0781fe

SHA512
a8480c894c4cdc821f3c6e4068af010d28f7394bbb51232e026b1b0002ba1bb6e9b9b46ff1150d46fee4333bde666617267ef37f42e2f5ef1c8d0ad5aaa25f57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
95412bc9ad24aa053633c69dd850404c

SHA1
18dadfcc8199dc851499142d100ebe966287696d

SHA256
7b2fbdd8f30460a8fa9b2c8e59c9f2b15534872ba1db5dadc3d69ac388e19143

SHA512
eb4d6cb2481dffd1888a7a3ab7d5847b89ade9672b9c0699bf0d6fd123df90a4f3f10105a77e88a6ae696f2a82edaa2b59ca3c162fdc84c7e958b79742ee6c01

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
f4d4967c2869c36bbaffc79eb656f0fc

SHA1
315fc4ef5c927a4cdfc27ee8d11e1b3a6e7c3f07

SHA256
7a6f2092a8ad08d2ef0f7986d9ee5161b67e1dd6ad35ebb627c8fd6b016554b3

SHA512
ef05b9087acee66fee11f69953aabce8ac424c90f4187e0ae3f249d0cc71e2d08f1fc52d7f0350403236787e0cee5192f1c969cd0bc50f75b6b43e4d475f02a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
253d6a06c26877b124a7f2203cc3b88d

SHA1
e44e46aa165f564e38cfdf1f4b63f9740d488505

SHA256
568a911ba64f65df36e6bacbed923fa32241de097829d72587f462ed6bb973bf

SHA512
3e6c4d67efa55b766723c186f88637b380e87320b3a18fc5d101eda5c312833bf35d1e0ed879b4851a0770464086bf868c76a6c6b026814eda9dca9135b0051d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
1cee3b0f662e168198cb672b6ff227f0

SHA1
d13426b9405715bc87cc4df5e4338f4c4249ab43

SHA256
97349b96e3854e02d49c247119b7e294bf882f0fe60c282f3b209dfae4db5f12

SHA512
10109361875f30d6e707726b2d41f036b281f1cd2c780baabfd2ff6c9ee2373477c1ac38745e9b6e3ac19e7bcb594a3bfdb048fded8f3d66e8bab2d2acd893e9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
055b77899b8cd5104919366a48ca8377

SHA1
87808057f141ea87aa43ddd20d24400ddbd1ab2c

SHA256
f6bfc6978c41fa97592a381be06458d4b11603c25037899d16961f7c847b7d26

SHA512
c14ba1131896a9b269ab838cd05c6b7d82af7ed47f313ef2121f3e5a13f33a077f68121009121ed4329416302344354f395aaefba1156d6ff81cf79f4134a154

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
530ba3d5cdbc181ccedf0a97f3e9b3db

SHA1
de96b40d78f5442de1941065304e09d53d795401

SHA256
9c69f10ce945b9f7290952f713f86617d23256a257c9d2ec0c368eebc7aefa21

SHA512
24aa792b10d8325ef24139ea45074abe3d4e112cbdbac6356e80085aaa1baa12b7c0245b385fafd9625590e4a5e33b1ebcca5e842c7ff5df5fb9427a769b3c5f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
ea293cc550c1757806d174fbe6a1909a

SHA1
c924e8c812d9edfd7db6fff0fe3bc9a2aaf4f4c5

SHA256
97e618096e7fbfa6b5e3cc0cb34a2dadae6ec3362f368981b39a1904da5ad09f

SHA512
6244c0c4b0c3a364dc6c2a3f46f65c13fad4d0f03e7f5a17846c492ba32fefc6e3c1eeae2cf70fd701b25ed9bec55259e6d99e48f74b64a02e3f2b35e0f668b3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
759d398b742b7a43c1bd8557191bf7e7

SHA1
90dea65ad7fcc8442796964a06e5e5c6cd7b39af

SHA256
191930f07108b998d448afc497a7bbba303337cd2de4365e43022b8517d311bb

SHA512
1577a072b708c9e20a2013ae98f84a8b0d4b27517f3ed2fc0798e5e43734610d793e70b108c93aa82f58b705789570654305eb35549b46823b9d1c46c83a3bb5

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\4c48e1fb-254e-4274-b8e1-369987c24b0b.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
62c6bb13b69701f73859156a77ce2a4e

SHA1
46685fae89b1f2fecfb049362410f5387f8b497b

SHA256
8070d9ae87b274aede3fa882714aeb09e02115d67a9f4cf14510eb187aff3fc4

SHA512
e57d54d3f7b7cbd12092520c59fa3a8a5f645ebeaa6c0dbc84223581c6b873fa87019f81975ef869a0afc062a55d1a5a6fcd00132569d65c247ca707a0189ed4

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
564a3a16f3ae9bbec0bb95ec471e7f5d

SHA1
5df6a1ee2cb7780ed640b934187e70611b74f843

SHA256
53cdd098e8f1dd118b7308a6d312a4595cec9127d6198f143077c70e98d6c3a5

SHA512
12a6f37bc2958dd4daa366eafd334106d70b895c8ca458b7afecb5539500d4fa7b1ebc4d8f197c532d043a9ad70452f391f22599d29ec7fc9215b8d21ab938f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
2cd879c3b1b25f881f4b7ab71b67a095

SHA1
e8c477526bb5bdddd659fdd44606060d83e703ad

SHA256
d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a

SHA512
95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
9e2d73b7123685f454833af7678e73d6

SHA1
afe80a218c358dc871dc8354213e2a5d74568c87

SHA256
d1d280c25fbc907e913bb7278d3711059664b307fbcb5e60407fd5a5491e5764

SHA512
97c0f24f297285409bd9de3540535dc4f833a2dc2bce7e33ff59cde1a766d570517ebcd8e38b6f35f32ec0d4d1c0e218cc7ea60621f5a944553117f020963ef1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
b14b0c8131f55feba5c6377a1dbdb9e9

SHA1
8d75f5c7857d079ad44bc7c469bb3f7c32087c86

SHA256
3936a3557ad713dec25318d59d91a0f950947be963d4c82e9ae23f4e5e1d62a9

SHA512
c60d1e42af8784cb770a3b0f979df37ace52e0a2cdc4ad5eb4674597580b6dc39d3cf59c36f1a614d549e77baf49388a6fe6abf083f0ac29d80bf20a2421627e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
7096fa6029264ae3a0b2cc47ec9def54

SHA1
2ddb90d2bee008cb80e407324fdc2bb572b6271f

SHA256
feb3e39cb21c50612fb0cadcf48d5833b1b25bb2f0997b0a798cf65d71ff578e

SHA512
b8f0c5232139103a1a0141cafdd6f442e81c2cdba2ae6f260758f8179258c088d2bf12fcb614a51727886a990f0c1b119af989cef1f1c1be27af7330c9961bb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577bb8.TMP
Filesize
2KB

MD5
1f497c78bb1cefe5fae1f2d3e5c467dc

SHA1
12ec3f79d43fc239252d3812f8f0c2edc492bc51

SHA256
e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc

SHA512
f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
b53a3b930cc45acb10dac0adbd5d22ea

SHA1
28f570efbf8aaa8c133707256a80081a46c4bcca

SHA256
7aad61c38966508ed1defba98b10bedf21d68533bd68dd6d6bbd9f7b9a752736

SHA512
2d314273e42d8f792293606e87550770b426952d321e478c7fad1e024c6353af3f37305f1c4073661b24dc3fa65055603d8113909c83f644679d3099339d5fcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
a80cfc8d2e9019b91a7008c48892c290

SHA1
48b93bdcc8cbbbb8c1cec37672faea9f13c3bb62

SHA256
b3da22637d3724d4812e0adc39679230e9311babc9ff4ae6c803c8b327ccd4ee

SHA512
d72de07ea23caac67d1bd9696fb8018e410140d098251f3be7092701c502c486da97fd8bc0a7830e97ef9d9f6311ee3e4fa95ec36c1d13bb1c861150d582154a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
02048a74e4eb857b47a55b3d7e525a8f

SHA1
548d9846f86cc4770e32dd50c14dd4caeddc1d02

SHA256
94f559f9393dbe27f6391bb65fe4953244132eaf5a14b3b3c2ab8d2ecb331f25

SHA512
ed331fcb4ca3f78cf375dcc6bec29747c64195f7f2c4782c1bec35ed707de95b2629d6e39f24922d96f69fbaaf2f32f96f314af105d7fe0152d85827171cc47d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
9KB

MD5
7761bb8043b07e3836dcfefab3f9dcb4

SHA1
442994ac2895703ef947b796a653cace3d611dd6

SHA256
ceebd14bf3a1f18e35efeab5b4f517113c2d52fe7550b99b47dbd8a8c7d90c11

SHA512
0d91362d0b980b32f06f9178433d1bdd9b2d578ea33b11ce667875b94a2237fbce25809ffba3ccaba2329c7d81ffc286dc5a3af34c887bf68329990c3ec71988

Download Submit
C:\Users\Admin\AppData\Roaming\2a87fd04b4b1389a.bin
Filesize
12KB

MD5
e03dc068a433d62600708d9ff2af136b

SHA1
fc87cd7a7789b3552f1acdb31a1ef283ab009b45

SHA256
57749d0fccbff13618a58bf2078cdfd06912d155c7a32c6253be16bf20cfb918

SHA512
f9074dbb7ddb508deb693a2cf1ee404018eb878a8e5dfc5fe1cd6eebf4a547243c3c17b9286f0a089c61bc11175ff4b3916eff4697d44efbffedc72cc2170300

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
3d43f0a112c39ea9b70ffb43fed1e03f

SHA1
7875d2e456c615f9a17af4bc03c5a9f756dfe340

SHA256
b7cff36483f5f77adf9ee725a37695f1799bfe24554969ce197db2c6bcce155a

SHA512
c2e0c0a4ed4c979363eb33b5ba653210b7c1f8be36d875edd973e7762f3e2a0f700e7e1b6e915858ffe8108f07bfcd9cce8303e42eb0842f0970701a4f15747a

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
f828b019db86b2e8476a26e05c6f8e2c

SHA1
8cf0f92c3a92527b12f8e4e7fbb91e6c55f30a57

SHA256
28cf622a723b47388ea0e1d1b7c6aa9b7b850633c9fddd9e409522211f6b4cc1

SHA512
b73eadec076c0f2627f673881f1b59ff6ec847ffd960a8d6154966636fe1196eb5028c6e060fbba6eae28c7f7abe25d3486c25cd533f96844c9d247672b0f809

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
e60be08a44c14b26682c4b80e6dcdd65

SHA1
0055d77cbe9b60784dbfa51cd7d526ac18b7f3a6

SHA256
f07926162fb56981f38d388645f197ee8eb66921f043bdc4c29002f2cba97fd1

SHA512
3114d4c1dfc0a3b60f6a7382dc2e577aab7e53e6e16e9577580313124d59e464a4a73a60e957034028b0a2da70a2e5e4a018fb51ef72d3442f7f4ea49d6ac59c

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
300e573666c5f3ab33375b9c33a8ed89

SHA1
dd6f35f74e730322446421e76cb5250621dada7b

SHA256
a611c8630dc7be180659d6e8ec22d8fd25cf9a86daa80bd1c2265c066312f04c

SHA512
137e4c572cf7dff267b5f996ab606085b008d1d27845a6a30abb67f842524523d16ffb40b83e0a1001ac5012044bdffd906288302ad2e4250f7fc9f4d3c35448

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
0c86bac506c3ddc3cd85ac6f2f636a1f

SHA1
b8cec144ccd4f6fa1d25acee5dbeb4536c362bbb

SHA256
f890927eab6e7dc1c571065a15c38ebe6027b9bf2f0ded4d07bf2e35b6eb2db2

SHA512
c2fb2cb075871f469ce3b3619d387a5e6b47477d9663d1f05e1ad0461515869f9f97c46753bed5766e8493920a5fea62640d7cc788ea8c802c176124b7606afd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
0effa2002311f07eff9753174b81dfae

SHA1
edf1f503063d9b7c250792235ccc0f294761c9bc

SHA256
9309e1c3924ad8758bf6f8087f706d9bbdfd7c5df00a92b2f0f60d1c1ac8c201

SHA512
231f9cb9a5aaf8f02ecf7466dd23d95aaa079e38e10e317bb26e794e8f0b378f43ca04a4c13b17712d99741e87b716eb4a1aa987cff013d946b81872271cfe4e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
36cd43c4b0d6576e4a487596b70d6535

SHA1
ba7e5cba5258b462bd1fb2d6df8ba968031d258c

SHA256
8f2c092b8531a425bda0306c940470b606a134d8797d4e34f9e079187b306dd6

SHA512
b49cf2710aca3e20b9cf7a346311ebad18a5aa60e61d8495be22737f918b81ac93ad4d3cc2972a1a3705a754c72efc177061dd4e97cb02bc4ffcf1713e3b014a

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
bb145fae0648c1d77d7843f3603dc114

SHA1
c1f3e9667602191aab216b0391ef2e1352fd7720

SHA256
0d4af312dfaffcf17fd617e3bb93e76759969b0ddc2a493e09441f79341d211f

SHA512
dc4555f482735a4379727db8ac77059c327d684ba9f1f4776d93444a92b3651ded917ef070a22fef80b8b520bc6d510cac1556f78359797aa092874b122b48b6

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
03030d38e594202f036e31f617128559

SHA1
8717f84d9fe300ac564239a568a409616e5177da

SHA256
f065171518621a0f4d797bedd6513ef4e067a358406234d738c9e56d28d99582

SHA512
1d517eaf11c27cdab7284f64d8845b96b4a1df94e0272c7d378de1a4c8c656d06659b80557817ef80d0c2ca1e80baab93abdbf3d9b911f680b98ce4efb416cc6

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
f903c9116d265c74988d902d5c28ae47

SHA1
24ccf9b1176b770029c5ac81e80e4f4439f249d0

SHA256
70467a56c845f9dea1f1607b3211f19ac06f184f06996667626b5ccbaac1e4e8

SHA512
97b9d4ec330e5944b7d55fb505790b8d0ea1b531b4285819000d893823b6286b2c31a452a1c33c4eca34c0566eb992bd362cdf096e3626eeb768484158a505e1

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
080f5efe92fd1e2f39481cbdc0e731f3

SHA1
4531bdf16384381f83812adccc2f3df3f6817d33

SHA256
a2244798dd24d203058afe131c9ae5abaf35bccfc5c1368d97e1d21c72c16ea2

SHA512
67c5ddf260e5df1866e8e5070b64a23737903b603ad7e9474f22f0eb43976a1fc4e9a3a6e551d1916d883045cddb44589e04991e2a2c9126435b8dad00d673d1

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
23611968874991ff0c21cbdb49df3c15

SHA1
a61653931fb415a13a01f8b7fb806843528a2476

SHA256
9bff3eb725faab15cb54aa2086a09b06840681fdf9a04c2dff42b438f28bd89c

SHA512
5a1d82a83f5be576b731ee16e92a9d625941261b49ff0028cdefb4a38d1fd9b7b1e0f42039a51076c887eda73f8b9f14ec64cbbfcdec107b4383e72612a9588a

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
dee80b61dc3f65f3e4a7b09edec27e05

SHA1
81ef9406833735408c37b620100fa1434f76a957

SHA256
b6009155f12bfb56e9ab6cb73c1ef24faec078db3ecc03515eb474e5e398c480

SHA512
a8bf0e4061502feacec3870b529511c2f1a41f5973237019d16f589cf26391cfbaf366cf91521f2f5fb3628e2cb8909e99659839afb5cc28ea8bf2ed69269be9

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
601a618352668444d5794191dd259892

SHA1
9aab8f6fabbd8ccfc7578e80202819a42df72729

SHA256
e1a43d53285d06487da5f4ea43508e731c618a46d41f479b7224d1d0c8e4cc71

SHA512
948ecc608ba54284be06858bbe6b20855abf4c1e8579ed539db50c687ce37b201c1902f3c7a9773ea9464bb04e1117fed43d924e85a7b79100acb55cea6f9f5f

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
8f17bd7e8b725d172a137f45a3d4f325

SHA1
ce78e72b515fb501ad930da82e439287a54b12ca

SHA256
bc63b0eb7c9ab05eade6827b9d7733884da0ade41c35739373c3edfb1d778672

SHA512
012c7929cf9792615e73d22cd3677131c7bc296d9d5a97ce0b96126769fac107aec07b8cb8d5f7c293010f539b445753ca38292f58c8368423d893de22480283

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
5f638996465e19a51cf1c93870011f75

SHA1
702c3cae6921cc114975dc34150bb683cb95eb3f

SHA256
bbe7161c120fd1f1ffcfbdc5235a071db938202c0e64948be25f28f6ae0ca55c

SHA512
ddf402f5e98ffeab41c0709b1eacb5725f7bdb7d35b729dbdf09ca445c2e52a4656b3ea85bcc49d6fd27e3a5bb2ecd68bd9305ca989c92a07425dd024fce5f7f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
02b1e9167b6c83d570051a9d25c7e14b

SHA1
7328c5d1e8053d5ecd8435c3b88b2d1e0fb5ad80

SHA256
94de97fcb1330037b2e1151104e4846674b74043fdf86d11f72f7939eda31e98

SHA512
04b4409ab278bc37d87acdb8e0e304fdb7798a4a3f75e097065f452b58d1c2a5eb3c22c15c29f540388c01df0a0e4d7bc8d3b0e8b25e55c6ae513bcd155df8da

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
536f0a4338cbe7dd10182839d42e04fd

SHA1
5d106bee973f5f3e078cd2ab156a5aca252f90ca

SHA256
71590c5533fb84193bc551bb667b87f1dbb133a0ed71b3ce49c2b0507d9c76e9

SHA512
b5c2c4adc97188cd5654612861e095cfa9622f3b32b91de6b366236b21bdd535114738ee55a171d56ecab9658933bc4aa09b150f2b38c7326d194499af6a8287

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
b2c359ffd4bf582baf62f6e8adf87a6e

SHA1
8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79

SHA256
ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d

SHA512
1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
7b1c4fd973a2f03f135c422a8aa23096

SHA1
5979a0d248574b449fd9109b9580b42a973cb42f

SHA256
797cbc4551145be800c3e3b9ef125eb3793e089198d354ce2ddd57cfa83cc903

SHA512
63cf56a0e0f227357a96786f2da0a92abdfb003c0c666904fdfa032fa9f1506696addb57c5611dda316162b3943e8dbec0e4f94f12f7f380790dc8d474b6f11a

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
1099983916106eb72178c4243962604d

SHA1
83863c2398de5d52cfa1a1b25c629c4054c7e67d

SHA256
b3371c817d89af8c8bd7fd4917ad03b0d6dbee7101324e525195418d1817959a

SHA512
6fbbb75c24014314d28536e3497458ecc73db29811b7ea9525f84906e826a22cdaf1ba52b6a02ad3b3c0ecf1341b82eb94f234733f7bae6e343318c7f7291d0c

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
d2deaaf263a4bf2779823de86c297c48

SHA1
94bfc42a16a36f62ec00ebfcc1232907c60fceb2

SHA256
bb25ce7f596f874c615897359bb1efc5cb08ad4a88b2c72230adc6877ef5e2a9

SHA512
2e8a3881312f619bd94d6c5e2df01ab2aa381e7ad62585351507ffbdd8b774e09036dc3b583c3c6bd820fa17d06e7e59ee73c8c3ef1f8a468b39adb931787e0b

Download Submit
\??\pipe\crashpad_4184_MABIHNWDQUDSCAET
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/620-502-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/620-31-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/920-263-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/920-659-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1228-253-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1476-261-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1556-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1556-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1564-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1564-6-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1564-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1564-0-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1564-21-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1932-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1932-44-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1932-43-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2624-73-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2624-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2624-83-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2624-79-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2780-239-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2932-242-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2936-496-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2936-244-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2948-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2988-262-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3496-11-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/3496-443-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3496-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3496-17-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/3580-245-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3792-243-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3876-252-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4116-96-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4116-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4116-90-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4252-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4252-658-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4252-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4252-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4284-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4284-660-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4484-246-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4600-254-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4800-100-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4800-241-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5092-52-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5092-51-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5092-58-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5092-352-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5132-475-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5132-662-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5888-431-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5888-491-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5972-445-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5972-661-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6136-467-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6136-480-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download