30e861c7c3d0d54fadc1ebfdcb30f051cb0013ac79bece5075fbf195c84fce76

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
Size

5.5MB
MD5

2f0f513e5d2c13923b002d1ad7512248
SHA1

9ddb081a24d5c89d13587d3a085942477117188d
SHA256

30e861c7c3d0d54fadc1ebfdcb30f051cb0013ac79bece5075fbf195c84fce76
SHA512

eba32deb511507be78b40ec1a1e881d1831d1bd9cb729a71c271fc4ac72cfbb6b81de356c61a30fed94fec4bfa34ad5363fd2b49554235f296e89a1dfaf0cc0a
SSDEEP

49152:SEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfL:4AI5pAdVJn9tbnR1VgBVmjmqrWETR9b

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
532	alg.exe
3752	DiagnosticsHub.StandardCollector.Service.exe
2204	fxssvc.exe
3228	elevation_service.exe
2188	elevation_service.exe
4056	maintenanceservice.exe
1884	msdtc.exe
1744	OSE.EXE
4200	PerceptionSimulationService.exe
1124	perfhost.exe
3708	locator.exe
740	SensorDataService.exe
2580	snmptrap.exe
4164	spectrum.exe
3504	ssh-agent.exe
3584	TieringEngineService.exe
3456	AgentService.exe
220	vds.exe
3464	vssvc.exe
4488	wbengine.exe
4856	WmiApSrv.exe
4552	SearchIndexer.exe
4676	chrmstp.exe
5516	chrmstp.exe
5432	chrmstp.exe
5732	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\60bdba9f293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4784f9a1caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000668a819a1caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027eba29a1caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cbb559b1caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002050679a1caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610576614927245"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0653c9a1caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9f6509b1caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015768d9a1caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000299d949a1caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

chrome.exe2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exeDiagnosticsHub.StandardCollector.Service.exechrome.exe

pid	process
4520	chrome.exe
4520	chrome.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
3752	DiagnosticsHub.StandardCollector.Service.exe
3752	DiagnosticsHub.StandardCollector.Service.exe
3752	DiagnosticsHub.StandardCollector.Service.exe
3752	DiagnosticsHub.StandardCollector.Service.exe
3752	DiagnosticsHub.StandardCollector.Service.exe
3752	DiagnosticsHub.StandardCollector.Service.exe
3752	DiagnosticsHub.StandardCollector.Service.exe
5504	chrome.exe
5504	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4520 chrome.exe
4520 chrome.exe
4520 chrome.exe

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3980	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
Token: SeTakeOwnershipPrivilege	3680	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
Token: SeAuditPrivilege	2204	fxssvc.exe
Token: SeRestorePrivilege	3584	TieringEngineService.exe
Token: SeManageVolumePrivilege	3584	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3456	AgentService.exe
Token: SeBackupPrivilege	3464	vssvc.exe
Token: SeRestorePrivilege	3464	vssvc.exe
Token: SeAuditPrivilege	3464	vssvc.exe
Token: SeBackupPrivilege	4488	wbengine.exe
Token: SeRestorePrivilege	4488	wbengine.exe
Token: SeSecurityPrivilege	4488	wbengine.exe
Token: 33	4552	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4552	SearchIndexer.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4520 chrome.exe
4520 chrome.exe
4520 chrome.exe
5432 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exechrome.exe

description	pid	process	target process
PID 3980 wrote to memory of 3680	3980	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
PID 3980 wrote to memory of 3680	3980	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
PID 3980 wrote to memory of 4520	3980	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe	chrome.exe
PID 3980 wrote to memory of 4520	3980	2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe	chrome.exe
PID 4520 wrote to memory of 3104	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 3104	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 1820	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4528	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4528	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe
PID 4520 wrote to memory of 4424	4520	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_2f0f513e5d2c13923b002d1ad7512248_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a0,0x2d8,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7fff9f20ab58,0x7fff9f20ab68,0x7fff9f20ab78
3⤵
PID:3104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1832,i,3077789654662886367,14968181426414942150,131072 /prefetch:2
3⤵
PID:1820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1832,i,3077789654662886367,14968181426414942150,131072 /prefetch:8
3⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2080 --field-trial-handle=1832,i,3077789654662886367,14968181426414942150,131072 /prefetch:8
3⤵
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1832,i,3077789654662886367,14968181426414942150,131072 /prefetch:1
3⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=1832,i,3077789654662886367,14968181426414942150,131072 /prefetch:1
3⤵
PID:3896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1832,i,3077789654662886367,14968181426414942150,131072 /prefetch:1
3⤵
PID:5348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4448 --field-trial-handle=1832,i,3077789654662886367,14968181426414942150,131072 /prefetch:8
3⤵
PID:5452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=1832,i,3077789654662886367,14968181426414942150,131072 /prefetch:8
3⤵
PID:5460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1832,i,3077789654662886367,14968181426414942150,131072 /prefetch:8
3⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1832,i,3077789654662886367,14968181426414942150,131072 /prefetch:8
3⤵
PID:3120

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:4676

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a4,0x2a8,0x2ac,0x2a0,0x2b0,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5516

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5432

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4248 --field-trial-handle=1832,i,3077789654662886367,14968181426414942150,131072 /prefetch:8
3⤵
PID:5460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1832,i,3077789654662886367,14968181426414942150,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5504

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:532

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5060

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3228

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2188

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4056

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1884

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4200

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3708

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:740

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4164

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:452

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5644

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:6000

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
b089dace443ed13cb3aff31511f64170

SHA1
c82694b45616d3154b77f2fcb9d3d6f6187ec436

SHA256
1fe0a2158b7545374414a45e32af525c10d7e40c447783c19b6a4d3c3c925612

SHA512
677d2ef91d46747956c7d0a3ed93520a9621612304223c5ce5d8f54776652fd4eb10b4c10c2cb232177b95ae1a7a4d20e49c5c3dea2622d16f03220546315295

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
895bbb76b21f6ebbda498c3968e5e40d

SHA1
669a418852c86dcd6113574db14bde9cf0b64f4a

SHA256
182ec57a1f1111ab4e152a25eaf2583ab80edbeb228fe2ba4ae8d403ead78db8

SHA512
e62eb077eec97de93ec6437194bf600cd93a78011f17e2df8da9df99ad146821ffbc574c5445af87012d91cab8005d2473727b7fd77a9bc13119549f5965a9a2

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
6d9138240e83fc598d9ccbe48f0fcf89

SHA1
c413811d71199526540c1da6be8aca51b1b2cc14

SHA256
f4b55dba300c9aa04a8224572f75e322640bad48fdbfacc00d57f8bae512a870

SHA512
d123742091e8be36d1e848841e8cf93c5151aa7006e2b060ca9f4800c3db33333f6a98e5150938f60bf6ab69bc2df64e0daeca81fefc8e720c0c7234a012a33a

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
b26a606100955d617dc8a463a879b4f9

SHA1
de6cd358f991f271aebeab724fcdfd3fa9ad0a3e

SHA256
df436ac2487e08ef4ba67220fb63e95bb8b270c690dad41d27bc481089fbf42b

SHA512
edff2c1ecd76caaa2a0a6457c4b99da8b2fc290e3d77e2b60c92362e61fbd0d785443400f368d8ff2d00235945a59b4fc5594fdf41a4719c9f48c28010080b48

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
027e8a47ad00a334f9c2912001c981ff

SHA1
e31837c4e46ab85aeddb3fb6e423ce0080dd018e

SHA256
88c9ef68854444a0f500559f1b3461229557810d96651e892ff7cd1a70fe4ee1

SHA512
42215629d8a11895df2ac3f5c962b6bff814c0d58121c28144cba817fd92c20cbf5bb73d46d5058a4ee4079e75e9b474433692fc269f4d858e4817ee844346a1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
7d4403eeaaac38539846d6e79dff0894

SHA1
0f1d0d7a1fae5e3bc593261f9ab54e299fb10bd4

SHA256
62e4b52c218aa699f6ba1f68ed8089c772dfda5b6c1a021b180a10eadfe7d56a

SHA512
dc29ef2faef7fcf81f4734f17a913321d3499bb9949959f11ae29b900a8b123a735b79ea34e7e2206a2aadff1bd1d3c0d8c90bee6b48fb2f27d9969f91532c03

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
e1ed9fdb1fa587238ede034599b6e6fa

SHA1
61484675328e3482b81c6fc11c6d093d9bcc9ea9

SHA256
196298fab41e16b0035f89917de212a110ba0a19a5a684528d17a58bc5b0f412

SHA512
5930e36fca56df452b177b0ed29565e17253c72f3530b5bff0903bc9093c36239630e0ecdf2148a0950364866478a63105e3293e435a6619120430080c03961a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
48ee3585881cedf6c0827e4f1550c900

SHA1
3074939aa58954e7f5f16be1557c01906a5e0e72

SHA256
2070228f9e114cdf7d4c5b463431a868c4b302f483d9531b6657510accfd9bf4

SHA512
e6630fbc650240507e518ebc9c709af6b7bd039315f2df932eef21ca095357b5f410a63691348983d523bcc3e8d38c8d96e20ab3ef93883da5e4efc15b1ec5fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
2ad8e2fb249f03be4e49d1e30e377b5f

SHA1
d0445b0a00c8f64a32587b55e1036f881e85f3f2

SHA256
c8966a42f6148061905affd7665262c734f205b5ca431428279a03f2bfaaa2b5

SHA512
63cbd162b6ba568f17004424313b62995668f8c0a2831247ce52202c0ca5fe238778b5ad5c24643dc753b69cf48774ef6c923c26dc5511d80e35798c33831636

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
88b4f7bb404f85435f5a656027ad1a7a

SHA1
494824390243c5cdc419887f97f96b311e940da5

SHA256
fc2faf1e201d80de66de6ab26e69d33a7d632bd834f8344a9e1adbd27f148f71

SHA512
16ea1d76e6065b0d7e6f7113a03bf44346d7e11ab5e1c8a2e4e7dc664bb022528e10cbba04576c7936052b723fcc67446bb2ceaa7ca22baa2aaa0c0695b73d0f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
2f6a9eb42c787fd5e1b4a7c82ec2aad2

SHA1
8b59aed8af0150882fe94bd7c8dc4c4ef98875d2

SHA256
15c8a652630bdbed4a4ad35f79b40fac080ae1b60fc52727d6068bd61dffab7a

SHA512
324939b210f7c30c2777321b14551a4ee08133d31db5884ebe59db90c4f95b84fa8cfcda6dde6f2383a83b7230a91e36db49e26729d92f0394179b1bc04a7ee6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
9f240c6d7e94e23b7a419707721886cd

SHA1
b11200e530cd47572cf5bec6684a097841e08091

SHA256
1bfab7bb226112d0e7520a5512220d41c4ab46f394a085274e86ec37499275a5

SHA512
f20536bd5bb3c13c614b42d8c73ea5ecd555a187f13d717521b945630df002b6f1f29188627b3dd0025d08f77ec28ea69d3d068484d6700f5cd6b5072d427a35

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
b27315738693827e49571bcfa40ff57c

SHA1
7fd070a39184a0d870aa06b5380f7efea8cbace2

SHA256
d1880bd1e4f78468858bc46d0540e64c12710a13b347df81d12f09779862bce7

SHA512
32e7368d6870b8f63e96d22c049b197ebe272292ec33357855405b995aaf6e3d7c4b3b5f417a404365bfb2c4a19bccc1d080362f851f7041366ea67db3b9eda8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
1337ba663947f9f0f363878a39af7bcd

SHA1
e98e3e03cc86c7679c1d38fa9d7e99bf691d9b3f

SHA256
5c7bba2502ca16eab2824828ada88f75e56c87d78d7171ae058108c826b523db

SHA512
7a751d2d291f964dc4d95e3c615734ef2e0c6e7b54292e8eacdbfb29b54e962c6ee05e5fee9b1601a3171b27353dd79318aebe5baf44d459616cb4afa4ebbc08

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
36539de67f0df20a2b443930e17c01c2

SHA1
34d80aadb61da76c6680f80c54fd3c70ec3ddd09

SHA256
2d30b2e09e6221f44e669a9ca5f0be0325efcf8804f8824efc34bf239e6df09f

SHA512
2701327ee61dcb5ab7e58c18a236ac1edc690fd47b112a88c751f01b3a89a187c06cfc6531dbd5baff1a5755131215c5499bd139452e5be9ea1ac4dbf68d094d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
dc161a28ee1acd0f3a5b7128b432fa5a

SHA1
660e21c08e51b4338905a22fd56ff35db1f9fcc3

SHA256
1db228486de9331059cd9e5d0dcd5b26c92f768575e246e3823faa207a212ae9

SHA512
c547c84b897fbda55f8fb0f2955fac94c0046201362f95c8c3c9f5abbc0718ab9e32b2bc4da30f57562440bbf8827dfe990d1ac115d1951a766257fcc291aa44

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
e20bc309a41ebbe18504a212d1f2fbd8

SHA1
9a4808009231c583eaaf0bacee4d365a7405f6ed

SHA256
bb2aa8d796c9e0a5403ff94c7f816db56f65c6a50fd34282ab6e00cb4a736050

SHA512
74576aee14c7686cd2055e31d95ed00d9fe4b093c5097d55e9b83a3b53399554ee696e097e6432ce20ae3e35f18920562a1418c83ff96f468b3445dc4dfb9746

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
cf196510fd350c8bdd8eabebcdc19813

SHA1
3b2ef411a54eb809e7baf64051c19b5b6c9c5bdd

SHA256
6c3ce1466fd9eee1e6153af6fb5b76958f1ebf045026c071066fd7a0084281c5

SHA512
b228ed04d368a1b6312d2bc60ca4a356fcaff6701467b0bd608562c30ccc19e67f7d32b3dbe4e91c02f509702055f6f2325e6094c088736d2b258c9418619d98

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
091296631277cdbb77626bb9cfeefedb

SHA1
e7098e0ba673c6b851f6a18664290412eb35dac0

SHA256
a9a8d09cd23702ef04651b0fda0fd8bb318f71ef75f4071f5a51a51799e77190

SHA512
50db31a757c8d52806e110d3b2195739bd62da91436ecc359dbb16146d53da626f8ed3e9ca4e5a52b3633c948dd0fe4e369afdae67c6304af7642c1f39368340

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
89c5c38554ca2972c14385d885ab9aa7

SHA1
633f2c1140b402cb4bdf5aee677a77b12474b812

SHA256
69ee97d3a160567497bc30c6b6ed1702553f08147588060a0a0335182803e03c

SHA512
d64d741c1dd3abb066075276bd12ce5ba5f0c2cf7c3b2ba64b4871ffdaee204c083b597e7fba9105beaf96e80a69a7cef94bc64249808dbbffcae631e49acf28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
5cfde5a28427862bb9eee808cc84154c

SHA1
85343cb4a7f94d7e4b9438296b04d3655996d886

SHA256
5cbed3a394cc94b07882a3d90df5f15d0d587af6da320bd41bb109e784fe6a85

SHA512
ccf486f1233f701d4e99f7dc3e302a6ad53f73203e184e11b6642f715f690d4c86c737975a8377a14ed68697323014fd476ba32afe4294e6e29033f8401e39f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
b1145b2d50ed2f9bea006703d852894e

SHA1
3628c161da3771a13f6cf331ed2601e12cdd872e

SHA256
8b316e544426a58155c1d59d4ab7111612b4d3f7b406c522c3e1bcb73b9d82b5

SHA512
03a4b71a5a12d4254724aa9b1b89f1eca189f0b8469dc605a5dd3be6e3e9508faeaa2b026cf86a2cb3e8150b4884050f34f9226d36d325a12ad54af247289f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5778f9.TMP
Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
8b39cae9feb2eab214cdf41b61ea834b

SHA1
8f115ac5a3e184e2d06cded9273ffb996d16d8c2

SHA256
6463c9bb0a81416c5dfebb0fd7670c95eb01f5618facfea87bb05b01f00cca98

SHA512
a1adc7dd4fa8c41db570accdb10c2406bea6b6df6700284158b6cd60f02fb37d3254dc31a466616f8e71463dae38acf1a59ce5c9aa87eee8bb6e5e20fe2ac553

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
8b3d447edc62a2ed09f7312801db9e13

SHA1
90c238a3163964b2305115d290242b7dabf23ae3

SHA256
d4170435bf6ea61934c0e295f7fc12f4af7d3e153e23f46896b49f8aed22d563

SHA512
5f7241f01f5ca721c1d922d19d02f63c984da4395224930530f4b63576601afa584b58335fc5bfe566c6b5ff4246d603b4d2e3466d43c4ebd81ec89e991119e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
5c7ec21548e2ea31846ed76b7c6c4f0e

SHA1
a210e79cbac87c5e81327cdfad97ff99e73c943e

SHA256
cae0f0efb200de8888de4e6bbf53fb82c344be5a52d3bc4e04d5aeecfa6f90e8

SHA512
469da3189dd88075c208ae90b8de3e9a88f9ce48124d46f3569b10852907e5f203125f7b7bb2e3c749f0f8418ef9a408ec5bb1dcad1f7b995b292005d7c7a4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
9e7d3bc15567cd470af0198c5ff0c0a2

SHA1
ef04fc31445b483f4002890f1e7a58de9488d14a

SHA256
d8ebe64747e66fc6ac6d456939c4e54c519c3a43d4e54b6b8302c41c2f4ba599

SHA512
aa644383553e650df4d47b1a55b475badfa916a4f5256d42f940bbef8d8e9bdace0aab9d65b6e90b36ccdf8b1f765a77354b311065f44b3fe4bdfae6105ddfff

Download Submit
C:\Users\Admin\AppData\Roaming\60bdba9f293b476c.bin
Filesize
12KB

MD5
50600ff8ee33e3fa7c7193b72ea7d6a3

SHA1
4b36b2a38b3170d391ac5cc0a46b96c4d31477fc

SHA256
e121da0b9b329c4dfdf5aec2de63d65613abba9a32cd680dd6bb8e59256b2895

SHA512
2b127a77bdae19b348fade1cdd0275061fd14d9686cd5d391ee30ac33c746c70d2bf532e753aa98521ffc45de178af3346c5d2c40de1f119d916021188b6b5de

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
f9c7e3f7359e49ca8bbf3bb8ef2a7ebd

SHA1
451439b29903a65776be3dcd81cbd25cf714eaa8

SHA256
11225f8d38f0071b2aa4cad53b572c501372cfa91c0ea770e0f0c8f3d9fb6910

SHA512
af1194b42c47a2d91ff6bf866d3125082650d7fd033a42a67c3c3008c2edd2d8023ee5d60fd6f18a08be7d9edb04957de9da5d0330320ca96db00948d96cbb4a

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
3db1ad486a2efd1637bf0f69252f059c

SHA1
66efb691029e3086beaa56fe130766ff70f50455

SHA256
bdb3b6789896483f8b540e9bfebf7f5011e213e776fbba073a94da5d4a71ef6f

SHA512
da69eabc1e956043b9f552ef270a5f4e12b09fa2d34907f74b3630901863c377c1b680e3bc44898f1d819e2e7f925b5ac7908dec17f6fe7f8a7dcf28889d5739

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
b5b596262d92950f7e1b86e96d8510f3

SHA1
7e915da11769b4839b4ce35e17cee9a09818b80a

SHA256
2ddb43b49bd61600934d96ce2b38faefcab6a518fc4bf0cc94146f082432af99

SHA512
7473c9a27d0992d49306ac8c4bd79ebbb318c9caa3d8184f20a0db84aa27e719a2fb848321ad8f5ed8919b00552dcb41f53f5c77872689618b74f614794ec28e

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
c00bb209e8f559388bd9bfed63a2e95c

SHA1
752e59366649d8448a87de63f42d1ac003f9c52b

SHA256
f23a567dc6a1fe31685132c0b72e9ec871df23da071a366b148e80287c93f6d4

SHA512
27bac77edb9b9cb9b8f0ce0a6c167c24f767a31cd7526c77524980429dd8639012765ff5748d07f589c5623d9e08e69744f821edba95bbc91819ac9063fba82c

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
b6364ef0a789df947165514b16cec7db

SHA1
65ea13b6be25c63e5a1e85cf308aaefec78bf73c

SHA256
e387b51f26270c93b0e83d69a63344ad79c2263ca6e45e7a50b9bbecd3136297

SHA512
169ef5cb850a0f97e160bb92107e5a5ec5b122c8183d90b37a43a2a5d0104380347b8d37edafdf5c245c758b3e7e7b82ecaced0aea88bbfec79a343f8450454e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
ee0a74bfcec098115e5a56c42a25b9e2

SHA1
b93fb5ac50582f1a500703a7060e07855103bfe5

SHA256
85b7f95d354053fd4306a2bbf455e5f5603fed2a05fbaeb77d4967c930d94bbe

SHA512
b0aff25aebb6adcd9ce2f3b4c250f8a422b21ab0e387e402d44f6a019f186e4b4809ef9fcdac21c4c6eec19c3ca8b8c4eb14901a7221b5fb87d2d8e3849afa4b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
78e522ec7817004ad434ec207ceee042

SHA1
e8d8b7aeeb2414b5c9f4b2b76e8ef2a8c504c8f1

SHA256
b2b3cb7810577924b0707371f84a3322fb0cbc166060399589cee8f8d3631806

SHA512
0d0204933e56881924e7fa8ec605e1a0dcc4747992fece555fde5708643426dae5ec7812c5758220647ad2713cf290fe303025202fa6753eb518e3a5cd62312d

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
7722408017d70d7517937b5132ae70d9

SHA1
4c0a3328f5bec061f3ba8acfd2eeacb58868a641

SHA256
46681a5c44db666a54f378dceb8585b0604e14e4a901a697075505731232aefb

SHA512
048b7e1da53ac7ad7dfb31d579d8c62e36c809057ba74ef58ff148fae455bc5f5f1b8324cf385b23e4daee99ababed11fd81897d6bc44cfe999dcb78537f3a7e

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
60d5ce32430b6d0b59373fe485ecc4ed

SHA1
176b0f65c66d8185aed825158d724e6281d604fa

SHA256
915253327056f36b5cb9a0a28c925fb18c7266230f8bde32e2bc0d0a823248cb

SHA512
6d0703395dc1e98dc4d1fe02897125c09a0271b3cde7bbc83d5fc61f8b993c1dc8a7ffe0581cddd6caa69684a5d332da928604f8d0390cc3531321f672e1fe64

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
ecba693f4deba65af69ed198c36cc28c

SHA1
01209cc6e28bad1b3ca24043387e9fb5832e550d

SHA256
e45d206cc7de678acbda0853f2335e8ace6d0e3fb4400d31fd1e0d4bc92a2704

SHA512
d6ff20feea2f507990af775628506994772b5a027dd426cf04f85b7fb13c262f7aedac2a77d4f7831148b03cdb17621cb02d47c864a9f572006c6ca8352234ce

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
0ec89a45dd8fad505c1e4aadb6a28887

SHA1
af12714a0de90f9b17ddfa56249474c1e5c2fd62

SHA256
60abe44d271a51e4292e2254873985367e982a46af83571f10cdc5659854f2a9

SHA512
c027e0e47deea394aa99dccd71ed30101a53f3b5934a27ea267cf7a43aaf2fc51bb611a0f5457bc64a6160da3dbc5b46ba813e6d32b82fd3b6d7fbc16c3b02b6

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
0ee1f5a2824d7d981ca2be4c3aa0ab14

SHA1
620388e659b627a531aaf126212b635b3945e630

SHA256
a247c7cb3e4f7a5a1cdffa5397de16f85f9214e9c540722f892e0336c4b94cbd

SHA512
3d8f9cc63ee44fa8b842381843b8dfb59435edf81e3b7c7ff209b6b493ca39ab7e81f5529ec5ed61d72ee7411f265900f56ef2a544a0172b66492a8ef9fdf702

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
80954d6e8f868afd3de6603bf7266bbc

SHA1
83f5d0f76a3d72bd690517ff702a5f8e2dedb467

SHA256
9cca0ea6aef04636b0813ffe387c5b4e4c754eaf03def42f90e35c8f9c649f3d

SHA512
0e3f8bff15d35b5ae522f576f24efd5c5e1a696650d3784ca7ab482e09506abb3d422e685a66b3ede7f22be66531de2f7982d6b99a876cc0ea8deabfac700e90

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
fd1fdaaf599cec3ead4a0c1954ec756f

SHA1
908bb410c5d93f0bca9dcd5196bac8cc478bee04

SHA256
4753a7de9d986bdcc8d4015b4a3e59f70178968e5fb9d5988f1cfc3bf012831b

SHA512
e893880f144941a2d7950fd1ba2a5f6d65914b226949d8ba66de6a8a988f14e214acafe56afc62a5c60edf2ed8d7344d91c57f4cd33f76bfd3a3d51fb6ad07ce

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
4aa25da002160c8f92aa6de9f1c118a3

SHA1
793416129b6de7c050d374e67229ce4366331925

SHA256
a361fe3eccfbe2d89c594678d8896e13914c00939957cfa6f165ea0efcfe00d1

SHA512
c2896cd604d88fcb99ed8fb4e82a412762f51c9e2d6cd882a1c1e6025ccaffe2f5d6fa3b56acf72ebf0273189d407e6f00d8dc2df4a0fd95fcce2c29f1d11322

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
5ee2fb120134fa8da7e4b81646fac58a

SHA1
5f28f2b298bdc6ec424a444f8ac95b207c6c4a91

SHA256
a9ac4301a0b30273cfb40081a4a6182ced6848f53edbc2f1b0f74a29c78be97c

SHA512
de086b8b6675963d51ccf5458e3a782beaf5b76b8cd39f462d1ba11eba04e98a700e17473b531751fb60fb4492e10aef72c8254a981abb927e7314d5aea48cc8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
9b4d68e9158b8a381056fd5d70ccb2ef

SHA1
4bb1c26ed3caf5ec286fff68b2a2eaf8bc404470

SHA256
890ef156b09078dbf416392fb42e3e4359cbd0c4bf527b3572f10e500e0572db

SHA512
7f5b78b4b68a19acd717b26a82875e5adb31d5354a3af9e195763c4fe2b5bda960c6e09098f633ef1a604a20d78f88398ad27837b2a1d87d1f791b04a7cd542e

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
cd4cd72a888654f79135bc8f4a644896

SHA1
e5b54ade621b52faee7f04dd7b205dd65fdabf8f

SHA256
3022c8bf17fe76267c721e80c66287d674bb8a3e7d3eb18f98f1db7f3df1aac5

SHA512
60fed3db4a844d8f4757e705fbf7c731c8400a4f36ad506167aabbb75c1e40b929db7278d7d6854552296a8a29f152cc6ea717d518be26f9eb733ed82d96c38b

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
322d1667a9faf36ae704500bcc44d2e4

SHA1
01bcae8fe9224d959fc59a095722b832773184aa

SHA256
fd40237ac16cf6bb0d74e592ddd170cabdfe79bb73bf48dfd96d96eab82b1431

SHA512
0c78cb762593a49325f7bf39ec4118936e0f606361ff979b469932736fffa4c85186e28945c012b92a200d41f30d5a5f2b5c6bd333e860bccb4737faf37be76d

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
58d021379d112d07551a8d01fe46f059

SHA1
29ccc5c7fc92c29f60f3b8950d7cb4b7a2e7d61c

SHA256
cec2e83b39c51c84b691545f04a964cf8813da64e67aa119631ffea532b432d8

SHA512
7bc18e401a81c39fe0733cc33f1be7da36d39b413583a06457c65bba4995319bb81c4208cff6e4f9c1357433d230a760c545eca4a3ae2d9d9bfebf916837f4c0

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
eeff48588cfcdac97183cdf0da1403dc

SHA1
d1810fa11564a1e446facc87dc743e73876550b7

SHA256
fbea1e00f3192f3a520c9157f58717c92e81dcfb9fdc495d4f9e4be7061b94aa

SHA512
b1f7c9c422d312b5060d5ecfc4ab21fb4f6be4b841362d25424e89028f1164f02bc176d815a7157125316068a401bafb855bccc3c4fdc52f6ec6b431ae06f978

Download Submit
\??\pipe\crashpad_4520_VSAZJZFZJOWMWEUN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/220-215-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/532-515-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/532-33-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/740-209-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/740-490-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1124-175-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1744-94-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1744-173-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1744-88-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1884-172-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2188-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2188-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2188-523-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2188-170-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2204-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2580-210-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3228-351-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3228-171-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3228-50-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3228-56-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3456-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3464-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3504-213-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3584-214-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3680-459-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3680-21-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3680-12-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/3680-18-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/3708-176-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3752-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3752-520-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3752-41-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3752-42-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3752-43-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3980-22-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/3980-9-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/3980-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3980-0-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/3980-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4056-77-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4056-71-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4056-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4056-81-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4164-211-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4200-100-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/4200-174-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4488-236-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4552-525-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4552-247-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4676-423-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4676-485-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4856-246-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4856-524-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5432-450-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5432-472-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5516-435-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5516-526-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5732-623-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5732-460-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download