c4523f98654928c4b063ea7891503390b6b6af4ee13d41a8380342ad4610bf8b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
Size

5.5MB
MD5

60319a691e07c3c386472962f798cc57
SHA1

8a8c476046eeff1359fc9d5474f521088aa2b475
SHA256

c4523f98654928c4b063ea7891503390b6b6af4ee13d41a8380342ad4610bf8b
SHA512

80f5b0e87c25b6ca305084c4027dee2cfc3dd666705cf3304d7cbf9555c1d8bc5c209fb0602724c1d56d669f1606c9ce554416dc819a72c230f73cac2ad8d307
SSDEEP

49152:5EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1cn9tJEUxDG0BYYrLA50IHLGfN:tAI5pAdVen9tbnR1VgBVmHeeUC68

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
1356	alg.exe
4868	DiagnosticsHub.StandardCollector.Service.exe
4276	fxssvc.exe
4192	elevation_service.exe
5180	elevation_service.exe
1160	maintenanceservice.exe
4992	msdtc.exe
3952	OSE.EXE
5576	PerceptionSimulationService.exe
5544	perfhost.exe
4064	locator.exe
5296	SensorDataService.exe
1460	snmptrap.exe
392	spectrum.exe
1952	ssh-agent.exe
5516	TieringEngineService.exe
6132	AgentService.exe
5540	vds.exe
748	vssvc.exe
4944	wbengine.exe
5396	WmiApSrv.exe
4588	SearchIndexer.exe
4248	chrmstp.exe
4720	chrmstp.exe
2328	chrmstp.exe
2740	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f461b362293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exechrome.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa39c70108aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a06c7c0208aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea7a460108aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610488147228729"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061ed990108aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b76a30108aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abee7a0108aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b76a30108aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

chrome.exe2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exeDiagnosticsHub.StandardCollector.Service.exechrome.exe

pid	process
3380	chrome.exe
3380	chrome.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
4868	DiagnosticsHub.StandardCollector.Service.exe
4868	DiagnosticsHub.StandardCollector.Service.exe
4868	DiagnosticsHub.StandardCollector.Service.exe
4868	DiagnosticsHub.StandardCollector.Service.exe
4868	DiagnosticsHub.StandardCollector.Service.exe
4868	DiagnosticsHub.StandardCollector.Service.exe
4868	DiagnosticsHub.StandardCollector.Service.exe
6732	chrome.exe
6732	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

676
676
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3380 chrome.exe
3380 chrome.exe
3380 chrome.exe

pid	process
676
676

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2928	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
Token: SeTakeOwnershipPrivilege	5920	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
Token: SeAuditPrivilege	4276	fxssvc.exe
Token: SeRestorePrivilege	5516	TieringEngineService.exe
Token: SeManageVolumePrivilege	5516	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	6132	AgentService.exe
Token: SeBackupPrivilege	748	vssvc.exe
Token: SeRestorePrivilege	748	vssvc.exe
Token: SeAuditPrivilege	748	vssvc.exe
Token: SeBackupPrivilege	4944	wbengine.exe
Token: SeRestorePrivilege	4944	wbengine.exe
Token: SeSecurityPrivilege	4944	wbengine.exe
Token: 33	4588	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

3380 chrome.exe
3380 chrome.exe
3380 chrome.exe
2328 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exechrome.exe

description	pid	process	target process
PID 2928 wrote to memory of 5920	2928	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
PID 2928 wrote to memory of 5920	2928	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
PID 2928 wrote to memory of 3380	2928	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe	chrome.exe
PID 2928 wrote to memory of 3380	2928	2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe	chrome.exe
PID 3380 wrote to memory of 4412	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4412	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4840	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 2864	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 2864	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe
PID 3380 wrote to memory of 4488	3380	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Local\Temp\2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_60319a691e07c3c386472962f798cc57_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2c4,0x2fc,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffa127cab58,0x7ffa127cab68,0x7ffa127cab78
3⤵
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1904,i,13732419134746619097,9040300765797731203,131072 /prefetch:2
3⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1904,i,13732419134746619097,9040300765797731203,131072 /prefetch:8
3⤵
PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1904,i,13732419134746619097,9040300765797731203,131072 /prefetch:8
3⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1904,i,13732419134746619097,9040300765797731203,131072 /prefetch:1
3⤵
PID:5384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1904,i,13732419134746619097,9040300765797731203,131072 /prefetch:1
3⤵
PID:1572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3600 --field-trial-handle=1904,i,13732419134746619097,9040300765797731203,131072 /prefetch:1
3⤵
PID:1304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=1904,i,13732419134746619097,9040300765797731203,131072 /prefetch:8
3⤵
PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4428 --field-trial-handle=1904,i,13732419134746619097,9040300765797731203,131072 /prefetch:8
3⤵
PID:4324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1904,i,13732419134746619097,9040300765797731203,131072 /prefetch:8
3⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1904,i,13732419134746619097,9040300765797731203,131072 /prefetch:8
3⤵
PID:4852

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:4248

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x7c,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:4720

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2328

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1904,i,13732419134746619097,9040300765797731203,131072 /prefetch:8
3⤵
PID:684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1904,i,13732419134746619097,9040300765797731203,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6732

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2552

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5180

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1160

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4992

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3952

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5576

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5544

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4064

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5296

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1460

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:392

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1404

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5516

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6132

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5396

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3356

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:1608

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
2b9308b8569e21a7b79fcfbaf0ae4831

SHA1
b19439dc635550a4cef25a97bbbf75ac4b7b48c8

SHA256
bbd4e080079864b85e94ae940647ba4c48b912fa3b265ee75c1af8b2504c9f0c

SHA512
5fff83b8bc39cded8aa2c0d4d5d2fb1fcd374eadfb704e83d3fa6fe26cc93e99212e49a334588872c57795127517a0162c4fce3df3b1f86130466473aac99acc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
7aa9b953cc1c0ace460d93b04641040d

SHA1
8ae92aca9d20fd0e3fd1d677697d9173d3f517ce

SHA256
56096a72d5e4d14b6dadd2f07cce84b8b85341fe2224d730507cf5a3ebb24741

SHA512
6611c2107b244077ee6cc485de9cfcbbee5ed712d027f35d69bc2754e584c823e01118b42533f8e34d1c93f630103779c3c002656718647f8ac459cf6f9de0db

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
78bab61df2289bc5038b8636cec64ee0

SHA1
fa21e4fb94e018a273db699eb1c874cea2fcf742

SHA256
3f788c0a865298039df49174fe1a9da7d98b87f11dd04447ad9bcfeb1ee9071b

SHA512
775649a32c3f30799dbf2957a5d8cda45e7f698c2fe2a5051c4a6726cfa9723224d3297abf3bd8c96e6ad39ac127daf0091a4c915a7cc87866a501d7b47c0ddb

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
4ad5f826578adca3da59a6a78d6d8a1d

SHA1
5419d34a13b712b7bd29e976a2c4193a84e5ce16

SHA256
42562e8ce68813488e4fccd0f1959a8cf2f20c28cd2a0af200fde160e9eeda90

SHA512
d23e84f7ec993a106dff448682c07ab7e03daa96ed06b8c8c0505e2fc9204c4f3e269bdc50a4a6f28e84cfe36ed01fcb971668e2cecf9a039206171379ce49b4

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
8adc36b236945326df47e4fa573ede62

SHA1
c31e2f92a7294ddf4c9a38d6cd2535701922650f

SHA256
1a408c36d9d6c00c563d4562feae25224b0247189efb3882c9b8ec8cee99038f

SHA512
900fcc7114c181b688ffa6bdfab0721d31c269c8834de1f356e0f4aaccd7508c70e8b7923eb8ec1019a4e29d9e78e8b510043dfcada0a6bb5277e93c0e412e11

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
7bfe30c703e001e079c1ba5def170a9b

SHA1
29bdce5c2fdbc28df29a27e119f63449c37d7644

SHA256
e2eeda1b89527ef58a0cb6ee491093b7014a00d76b2f76db36a45e558f0dd2bb

SHA512
77769accdde43da9d847583398455408cd501144f3e8c0380c492767988d66fc3c366357d37e7f6fb22c445d171686222035409024a4c87619d2e0c0a47e6fa1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
7b2cef57314a3e8f318702af6607c5c5

SHA1
b350ca967f620d2952dc822da24ebb2bb3ff7a0a

SHA256
f7eee8b60cddcbf236c051714a52f5f7df2a37c327dfb5f540b01a9006ab3c17

SHA512
3e5ae0d43f97db10b9b676b92b3a76fa29a302304ca46fc7e405c3e1f647bec2a7cbd17f10a0a70ce445dd6ab71c02a9ce646c218e7dda5df7bc06b5f4ee24b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
bb6de4e26715513a516ce18c1f64dc3f

SHA1
24c14112c967c6f68763132c97025c75e1438fb8

SHA256
7e24b4e6b123c3c559d974e4046a9b53d2cc2772c85c18cc4cf6562056b6804c

SHA512
c9ac60458890bca8b5639410370117f6b8a43353421872c819f206902b472b9b31399487ffee44de27a750210c06bf562df7c3773231687d1cc6747061c723d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
d3a86c5665584a060e50f189a03ee9b2

SHA1
62a57281733e75448dd55a0be5d890874044687c

SHA256
30602f0e7b9806acd9851c7b15a77cae14483ce26021065bf205b2b96d7ac19a

SHA512
e484342769bcb1b3e85bd8da9da26f2694e86553f3d7b4827692a9295aa4fa2f0de07d23725b492574978da8c34d6d09ae652d4b5bb0f5d0bb17b1f97bf4eb9f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
a0bbcb481f2c8c18bab819f03c3e90cb

SHA1
68744d4ef5f5e55d0e28b803c8c25fca5c7aa21c

SHA256
14b74927779889e259179bbf551a09a97e50ed18e20fee5e4b2b4d04ab70cfbe

SHA512
5802971451f0124181797875020c5c5651971e2e3b9c51ded9f4150cc38040edcaf1faaca6bea84b1f12ab901854d7f7a8af331b2b85c99f9639b492c06751cf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
5ec8a10a8847bff5f512a03b15a6473c

SHA1
ced312bf695eddf5cd8a631069076a32e5d1e621

SHA256
3575e19533a685b76b86489bc40b9455e1544cdde67e4d72340c87bb0e04b2ef

SHA512
6a49960268fabacfc9913ee2da9357efe3f5429c86deaf38202de2249012b0988b3b0a8287d5b752c111cd6ae5976fb73beabbba5e429ea3458811346b546ae8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
3327f5dc528fd688396417964f03239c

SHA1
493642800cebb9bfd7d1b45219681f1d7b7018d4

SHA256
7fcf2fd80824323ee1f7f29992be11365bf1d36c1bceeeda1399531b7560cfdb

SHA512
f1120431d95e4792d8adc02734798e64d6bbd1fe53ae6254e90d1624ee6040abfe22dc25a5d762af69a0b6e2ea875ae9f74b4b7766141c01f6bea34a0989783a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
0a6abeae9cf70ed7c254f99d2e64e6a8

SHA1
a3b5436c650cfd6c7789db35d14da212a6690c6a

SHA256
600f7917612a065a6f871f6a6e5b4e740f0cd1239e2d7eabcf728fa247f0ec7c

SHA512
a41940417f50c5f4a9deba06034200bdc5e0cbadeda5b8027236edfaf8f6342f982400de7b47cc131e239a82e190ad7a46155afee7623a9c305684032976a29a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
b9a270f08f6c258242465cc4eb91bfb0

SHA1
4014d2bed41e3cb85ca6a15c0a5cefa4d120e1f7

SHA256
3dc8a0d8d400524386bc97aa3068ac9e32552c2b11b1728bdacf6a3aeabc3773

SHA512
57eb12b708b10e20ee42b0ad276f829f773bee007617cea5932948c9bef11cf2236c35fd5308ebc32bf6fb579f9dd63fd2741195dce3fde0f748f7373fdaefd6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
eb65fbaa40d5c09a27f35da3d3677f8d

SHA1
f8114400e2a549af8436128f5c4ae208b3a16386

SHA256
ea2b097ce15ec29d9e3805ce43e97392a1e73f03c3f8a7d09a266c9a42ad534c

SHA512
e56a4a1504182232b1cf46f4e93e73970b67d3fabb9111ab83a1aec2cfb0af17cf6c3c0632febd9b899dc9d45c20fa9f1864c7af49f6accc1dfe8476286b95ba

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
d70f18022f41d252e064e34ba3f40221

SHA1
49c7f127893a1c5adefce47275b66ec9c6aa38e6

SHA256
80261d179bf03bbb25fb28f5d6b9c1d6231322135c084fb2cafb8d4ae1100766

SHA512
eee1b7288d5a80ee4f4b27df2c0f54e647c18823b76b1124b49eed8072a34514da1eca74d892ccb92b93f50459f7ecdc65f92310aba60f9f35893fbc02a66c02

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
d8a79a4b328e68108d76282b0affaae3

SHA1
7aa1403d6be2ec3fb96ab085bf0b9846a32ef37f

SHA256
a5d5d9e679deb8c8f1ab41dd3af86e90825b36c88bf554e188ddb40cb12bb006

SHA512
989b0e7b7f3e12c98db3aa1405d74e8749c3ae95a4f26f9336e73179ea128e2994ae5c2aad99018e43e08c9920fb6e4cf8f751853d0bce6dca3018cfa391d4be

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
757c4d508cf286c3dae7b46a44787e3f

SHA1
61e28006cbfc2bbca49394164c1a2b6423667217

SHA256
60f4ed7a738ce0eff01ddc5c6c36c8ed425fad321b0d1a80e6225fa17abd3e6e

SHA512
9ad71b14cdc2f6f622c446511c3d073b3fe90194267b0df35eedef267c0d16e9f9efdcba164d3b93231437a2a6eb2156d82edf4713cab7eba88367308bf1c993

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
bbd5363e4d0e65c86143b4715811d234

SHA1
8f560d95e6011449479ac1440416459aeed49a70

SHA256
738ef8093983c20e010e2f46b64f2b4e150643094cfad9429a1ac50b3d56a0ba

SHA512
8b066da27bdc1506a57c957aa6ca071aedda53e96df43399164858ec05ef916d1911932a7b9486773f55a66b146b40fb010c8e53963950e1c2f96d048437191b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
c07c5cc15f0e1a69b76bb0457bbdb14c

SHA1
e7132c7fd83e36922e4971f493aff3575ad9830c

SHA256
ae59f34877de1bdacd155cadca4dcd697ecdf166e7ce261a21bc117921f6671d

SHA512
794acfa68be3eb3111eb9d1e5615980cebc26d28bdc6adbf3e6e66ac7e080c0864dd77a44931c614a5758a65aad278b582a84683df704452b38d324c91528da3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
d5a7df96efe7029caaeab79f3a5bb5a9

SHA1
532acfc17c3f0942319fddd67adde7a89fc984fa

SHA256
0519567e3cd42c7ffe0b016bb610f5435c83d4fa0aff373dbbbbf9424f67f22a

SHA512
c64e3cb401a4dc818e7c51f480c9c6ab37090a6a2f543a1d6b5c59ef53ed9ab42ee261db5b3c182a3774b24fd97013d16e3daafc0e2769e363e45c3f11d6d44d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
5feacde71c2f3af0bebc00b6917fe9c8

SHA1
1f4e7b4adfbda3a3ef25ee210db80e00858a82b2

SHA256
07f37b2e63ff4eb2a1ebf9ce85a3c6b15426bb3436c5610e897e627a651aa887

SHA512
61653953c5dbd74754dc5b8208ee76c5363ca76208a502544f47893d451994472b87cdaa7cb8c3694ff003555105ebe2403f1984e89ef8cb9d7065a1fe06128a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5777ef.TMP
Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
46a4a0bf308310a48970a59569debf96

SHA1
e03b6ff19d903bf6735188c08633ae11b1aea115

SHA256
05d0aa92f5cdc8c749156dd9a6b8f43930a3e850f9d7c076fbd0af307e6d0fe0

SHA512
f16ed21276624b67b6fe1b8022379bff1ffde29e600c8f770328f4d6a4f3cb04941293a6035a7919ffc3d697d69e54e0a931ce0d1d37d9a3bcbe41bb16ae05a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
6acb023e0b64b7cb4cf3c5ccea62ad01

SHA1
0972b2ffb3118e4fac54c1397c7e6a4c6241b296

SHA256
18a884bfbe768386c01128c948dd66aa09d3f8844a4a0a1b19e95fde4939d9de

SHA512
5747ba97fab6982f1f4df5e69f95451965e0d474275e8138c9d17554baa20835f9568b886eb5d7e48a2746af524eb187c12b3a24b546de6a10b6843dc4ba8fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
ee7c1efc79319aa8a1f55d3e024e9d11

SHA1
5de3b33eed8d94f13335b2e69bc5e22bebf906c0

SHA256
3b80f78b5a52158b2a296c96ecaef1bb889378704ab2cd52c9b85a816ab12790

SHA512
d3aebb8eb19c32349d99a56b5e3d86e34d1a5765bacc0cb5e6353c16007f2fae33722cce29c81159eb3abff030bb6b5d5d106c4159d8692d970064da26b8f7b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
5850a395eaf955b2e6a5623004f625ef

SHA1
ffe1281a2ed3cf5d7bf822bdc6c33c833685a7d3

SHA256
3e6b5bb02f68be5167bfe725046e7a4c8c298610a405498f7d97fbf7bf383e40

SHA512
a42e71da9e6e85f00d8cf08be4f4fab1f26bad57a95af9ece97c388a17519838040d6f9d34898be90f70f769a931e80cd84347f24950f022ed1c3ec9db3b058b

Download Submit
C:\Users\Admin\AppData\Roaming\f461b362293b476c.bin
Filesize
12KB

MD5
a001c9322f5cc8aca9026ea9153b5c86

SHA1
ab69577a21bb82ffb5252d5f0e935275238ba9aa

SHA256
d29a595a350814ee0d9979262da4256ada34c030a084c8780934de8da9ba6d5e

SHA512
c09372fbfc71e32f61eebaa2d1733cf373fbffb1a5bd6d9ab69b40082f4db1bdea029d41b68833f3be7ee7027d4ff389db0e898d25926b42587153eb4b943f69

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
544d5f4b96df6656a41a10495a369620

SHA1
cefcbb82396322f7fa73b870aa29038ea38e9cf6

SHA256
cd526d31b8aa1da5a083133daf8eeb7c6f8c461b14dcf3161f7e291eca7380cf

SHA512
fa470be3dd01a23b6df937f334c738263569dfd9510c78e58738b71a2b4e3a8d548f9b0b11b0c37a6e373aad1e3159b356c91abab95e7675ec8ec3f3d6354ef3

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
1b414cc26beea35626e140dba07f0bd2

SHA1
274cb2df72da6f1e7372125abe4199c18ddbde42

SHA256
e707eac193f4c5e18cc754bb9708a087d3552e8368775a0cd4f142c3c4b053ce

SHA512
41dda3d693ed2190f8f4316148a20e5ba0cec1cda18ae0ac6f6d35ae91238e88c62907a623c280830250031551421f762d9ec658965113fd0bc23c3407500636

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
a9b4fa58d2e02ab24883dbf61c1743bb

SHA1
1d0ffbb030d1fc6a4721ace3513b4a49fc95a916

SHA256
ba8aa33f1cb2d78072f580da2498398e1d8faa1710248a0dd85c65b52c9229e6

SHA512
8ba0caaddd4664e24402bd320c0ab3a6a50de6ee0a9ea4f13753af1c6be8c7baa3878dc0b0ba045dcc4b6da1793f87edd3bf52d5b960f34c733fe0af86059604

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
c9381c19a00d608d73655f1f18873fbc

SHA1
16eb5dbded152cf10f454633f7538602e25e647f

SHA256
054c1066fe9b47b8fa1a98eea48195c6d406feaad12207148b6382482d25dd3c

SHA512
d0ff373e5c7d4ad39e654c2cbced26e17560adbc9e885133b69fa21222662d613a50538db9a6d167f8da78555d4f4d32b34d2fe2d9c5c63f2e1d31f7cd2bfc06

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
8879477b33908562afe2712f918c3757

SHA1
45cc18c001fd46226a233e3aa923e2254509c0f9

SHA256
1e4a026624568c21948e7227bdca911c1c012fd47df702998b9a981dbf62d6be

SHA512
a82c6e9afceeb2724c77e93174de463cfb6888f1800d7e5d29127145225824885d95e4b356d2341c5d0ffb2e314dfdf8e8379981f3bfaec46a8cf1e1dacb9c32

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
3ff3823359f8bea70bb97614ae74e2a0

SHA1
899ccde504e8226c28b35083fa5449012f3bf234

SHA256
6e07edc697f0d12526b6ab86d0c231f83ffe0fc4029ff93f76931eb4d578e233

SHA512
1a304c906516247ff294fe2404a615a8d76157cf6d8199bcc0d9485e8e5bfd894b68be88425735c4c44303f52f9113dd0e4b6cb025d2983cc51fb1a46a00b3bd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
c7da6f7aec9ea3011f59bfcd4ca7a7ba

SHA1
87e7f470042b84b0c5dd9cd607baf6313730d997

SHA256
9161610c64f51d8b3dc47b633f63da982bd028cd7feca6326ebf0b5c17c57a4a

SHA512
185b09d61d33adc7980b8a8019681ae8465389089bc960074bd60e63d3e7e560a968c3bdf8bc5314195bd1b15944d1eb20d1925bd2c85a68feada382b18eb135

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
6d2060ae61d6e6013c6cd3e826b70a87

SHA1
f8b7e115f066536bb720caa3e616fafd0b80d096

SHA256
37eaba3a3ebc64f11d4a4ba6079c6b49326563674eef34d3c48e3a182c7d8bc7

SHA512
c1aa417aa3e13a6aae0afa259007c19c253a01d7a0ba2d723b249bbf183047e458cb32053d3835f8aea7610cd6db47acd382105237edf81ca4ef88ce02c6cd95

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
d5345f790e193637dfe66741381d3994

SHA1
777d4dddd85d14b49ee166e67e8ca90db22896dc

SHA256
69a69de2d7bf00b1bb8847c76e9958da25544854c2979ec4a9a67a2c386fc1a5

SHA512
040eb359e334e2aa3c02592f7be29642e8cd67e67c3190965248a1803f9a7c51f2cf54fd7ac8dc71bb748ba37a263f219d1403959ad274325dc5fa97431f93f2

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
dff3b4aa33707803c7a2fa6068b0de4f

SHA1
06b05c0cb00b8deceb305932d02905cbba6bc293

SHA256
595b3ce760695e6db893d89721baddcc164ddd36b9d6d1c963a9deb6402b359b

SHA512
567cd1ef824b0b959d8ed0a0f323c3ed128f8b0a8a1ace8ea58dbf98fd728e4d45cf4e1cca5a4168ea3ae36b62019a020f473239d7ad4b6f0a95cf69da36be81

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
6a30e5f7adffacc086740e6719d0eb4f

SHA1
0b27801a7eac3577edcd08eb4aec327de09eb919

SHA256
c52c7df5636ec485401eb6c74de602c4a701642a0d53fcf4e692dc33c5c8a28c

SHA512
6ce43f68b7d5b7cd61b97346b9dda9a32987151250010a8c4a81a09e6cddae136f8980e9e55e21fc7270e632a4245304052f4df59dee6a428bf12e88a599d87f

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
3a3bb49a942b05005e66de836f8b0a0c

SHA1
714a788da53469cf681b2de97de5dee2f8724326

SHA256
f067e98a2a5cac87f7f4ba29d6f1fd97cc9ff64189eca1dd191c0909f597b607

SHA512
9d1339be879e37dbeb0e580523baee4b5a39e281bcf5a959e8e779625b57d31e329945a3e0f703c20b53a829220b06f34c0f2fec7bca6438b50c9e10ad3bb750

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
803789262f613c6e556107f575d53358

SHA1
1276e57231a75c13793d4e5535fc4494a59e6372

SHA256
23c4c906bba9357475dfbaebcb384dad45edfb82ee4cd1082a13f37bb749037d

SHA512
e72fadc63f4e6bff6c8955dc40698386f111329d5fe94daa34c1c32909d9d53f62a255d0fe6d6e281af652fcad7288a0f22a209154c0913521d2d071de3bace8

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
121307b45bef1f03a5e358453fd3a31a

SHA1
1c3f679f04ec87ffceef8b34b4dfc53f0709ac27

SHA256
6114d1591a0c89c20b995c6d56d1802b31426ff9d4c55c5e31ef9f4632a25ad3

SHA512
038bc0701381e6c8a0baf4c4fa089609ac828dfbd26c6855636365757dc1fd000ac400ea74725f0d6cab88630a01292c0f77b38692dba2deef312db3deb4962a

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
042a0ac33f0a6183f5df5ca515c8ca05

SHA1
952a5e238888b1ceec544228f073a4ccd48dfde6

SHA256
078ed779a421823dc46ad9968bfc5766362e5ba302e2190934275e494203ae16

SHA512
057ef0aa089263e0c44ecac7e2e938b0fefc31a5821d39aec9e532e782b5484c9f1e8504041d56932993b11f5c2bdfb2b5b6d722a7fc155633931e03b5ea9c4e

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
eb9364e25cf0b9139c50fda13e0ec3a5

SHA1
47715631b0eb0a420ef23fe427d3fef938bdab30

SHA256
7362dc8fb166ae5e9906b5e086d8b4b0cdcddb787742e8557d09256861e8fbea

SHA512
f3d0a7143f0cbd058286ef5effd81cac5688acb52ea0291bd7d4daebcd7a54602561321332f279f56386f3b14df733bccbd5e5d78fcb4804cdb5ec24824afa55

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
a754753d8444caea18d580add46d5f5e

SHA1
68a0ec79eec61e0441b79788cc337de9d56d673d

SHA256
9274bb01b9115c7b9b8d25520543e642c3c5f1ebb378a65347e15f2348194ab1

SHA512
7c39c2a1741997e2d6e1b38eeb92917e114d8f7dc6f200d3e72733f40e50785cdb96ecce3f0758821b21cec08da6b83e552297394e4d3d69e701c9cf354d3de6

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
7640ece2ca57ee3b40479427d55f1d52

SHA1
104184fd3d34c3703661746c34050f4e35018911

SHA256
47f7a5a00f39d992d14fae835ff3473ca34c958a2aa34510d80c7671e1b16ba1

SHA512
4191c95108d4aeb6696564ad890f64fac1f1dd4a2b3e7722132256272ebbb12e64b723943fd5a9e16822c267ea5fd78d6515d7744987e713ccf62abb5c83adba

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
1b22f381cf383cead547a9fb24b8dbc1

SHA1
d46f7ca64ce537c7064db750ba1dcf8eef9d6b73

SHA256
d8ac0d6f3db426862a0e4c5030d839f3ae8193c4cf2130de89be94f25371671c

SHA512
f1641e9592ae883d8953dea52f58a539cde8e418c08afd11305cf7b0a422e688135c31a333fd11412e0643e56705bf000d5791ae525fec7d1c923dd8f60dc512

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
e197d7af7564884c8eeb54687983740e

SHA1
432c37db4807ba0468b816fcdcfada318ad88ac5

SHA256
2e3370edbf91ac565d8928c994e9dd8ae7494de4cbf40106668a612a2598d449

SHA512
93ab4de9e7b8ab38c0fa4e893c2f65cd358fe572d1de5016bea7048252a4e677741a1a18027850ac2d8e601cdc763e99d360ac3e6709cad284ddc75f0726d2e5

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
572960d7be38e597133c1c11bce65a0c

SHA1
c5efd0aaae5191d4d347a1fd3c3ab31bd23adc8e

SHA256
9a564aee556e94d73c30b0d9c012a8ac15d30a69331138f38b3e1755c396ed05

SHA512
3e7338b8864771d2b3e2f960aa28a0d9288c3b8ce2c0d19666bce9ba2a5d5ae68d1239062dd0425049061ab9988dd18f6d2b6a5303fc6882a71fa3af6cdc9496

Download Submit
\??\pipe\crashpad_3380_RVDFQAQPFINRMUGE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/392-210-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/748-214-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1160-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1160-77-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1160-71-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1160-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1356-505-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1356-28-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1460-209-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1952-211-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2328-480-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2328-455-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2740-670-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2740-468-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2928-0-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/2928-9-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/2928-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2928-440-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2928-21-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/3952-204-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3952-94-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3952-88-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4064-207-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4192-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4192-54-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4192-48-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4192-341-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4248-427-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4248-488-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4276-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4276-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4588-224-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4588-524-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4720-442-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4720-605-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4868-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4868-43-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4868-40-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4944-222-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4992-203-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5180-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5180-202-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5180-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5180-522-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5296-481-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5296-208-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5396-523-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5396-223-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5516-212-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5540-213-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5544-206-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5576-205-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5576-100-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/5920-24-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5920-463-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5920-12-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/5920-18-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/6132-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download