b0926d8ef240f74d31b034fd8d7b013b25f0d07ad062d8091a68afd2c8889045

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
Size

4.6MB
MD5

f018ea6988d8a36e6a1eeefe6a1f8e20
SHA1

6d1786be242d610937d87b76dd4495882a1180da
SHA256

b0926d8ef240f74d31b034fd8d7b013b25f0d07ad062d8091a68afd2c8889045
SHA512

106b37132ed8331a119514547b696a1caa4023c3a73ff445c8e6085719889b18a486317a08890b9106e7bc61e54cbb8d0f2047a2bc43465af4fe2d5787b0e700
SSDEEP

49152:RndPjazwYcCOlBWD9rqGHi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAG2:t2D8OiFIIm3Gob5iEK1u60i5A0+

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2788	alg.exe
224	DiagnosticsHub.StandardCollector.Service.exe
5104	fxssvc.exe
2808	elevation_service.exe
4592	elevation_service.exe
4412	maintenanceservice.exe
4388	msdtc.exe
2888	OSE.EXE
2240	PerceptionSimulationService.exe
1064	perfhost.exe
4900	locator.exe
3344	SensorDataService.exe
1852	snmptrap.exe
532	spectrum.exe
4376	ssh-agent.exe
712	TieringEngineService.exe
1564	AgentService.exe
1832	vds.exe
1756	vssvc.exe
4784	wbengine.exe
2168	WmiApSrv.exe
2448	SearchIndexer.exe
5732	chrmstp.exe
5004	chrmstp.exe
5376	chrmstp.exe
5516	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b943bde085dff9a7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0F1D587F-0CD0-4502-B48A-EF0248B94ACE}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc8b50bc5acada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000867b1bc95acada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3a6e4c85acada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf3553c85acada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079fefac75acada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008627e3c75acada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca12efc75acada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d44c09c85acada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d02602c85acada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
3428	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
224	DiagnosticsHub.StandardCollector.Service.exe
224	DiagnosticsHub.StandardCollector.Service.exe
224	DiagnosticsHub.StandardCollector.Service.exe
224	DiagnosticsHub.StandardCollector.Service.exe
224	DiagnosticsHub.StandardCollector.Service.exe
224	DiagnosticsHub.StandardCollector.Service.exe
224	DiagnosticsHub.StandardCollector.Service.exe
4924	chrome.exe
4924	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	400	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
Token: SeAuditPrivilege	5104	fxssvc.exe
Token: SeRestorePrivilege	712	TieringEngineService.exe
Token: SeManageVolumePrivilege	712	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1564	AgentService.exe
Token: SeBackupPrivilege	1756	vssvc.exe
Token: SeRestorePrivilege	1756	vssvc.exe
Token: SeAuditPrivilege	1756	vssvc.exe
Token: SeBackupPrivilege	4784	wbengine.exe
Token: SeRestorePrivilege	4784	wbengine.exe
Token: SeSecurityPrivilege	4784	wbengine.exe
Token: 33	2448	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2448	SearchIndexer.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
5376	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 3428	400	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe	90
PID 400 wrote to memory of 3428	400	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe	90
PID 400 wrote to memory of 3396	400	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe	91
PID 400 wrote to memory of 3396	400	2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe	91
PID 3396 wrote to memory of 2768	3396	chrome.exe	92
PID 3396 wrote to memory of 2768	3396	chrome.exe	92
PID 2448 wrote to memory of 5820	2448	SearchIndexer.exe	118
PID 2448 wrote to memory of 5820	2448	SearchIndexer.exe	118
PID 2448 wrote to memory of 5844	2448	SearchIndexer.exe	119
PID 2448 wrote to memory of 5844	2448	SearchIndexer.exe	119
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6108	3396	chrome.exe	121
PID 3396 wrote to memory of 6128	3396	chrome.exe	122
PID 3396 wrote to memory of 6128	3396	chrome.exe	122
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123
PID 3396 wrote to memory of 2252	3396	chrome.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-29_f018ea6988d8a36e6a1eeefe6a1f8e20_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2cc,0x2d0,0x2dc,0x2d8,0x2e0,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9011fab58,0x7ff9011fab68,0x7ff9011fab78
    3⤵
    PID:2768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1904,i,13621213839940441632,13877089353510258351,131072 /prefetch:2
    3⤵
    PID:6108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1668 --field-trial-handle=1904,i,13621213839940441632,13877089353510258351,131072 /prefetch:8
    3⤵
    PID:6128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1904,i,13621213839940441632,13877089353510258351,131072 /prefetch:8
    3⤵
    PID:2252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1904,i,13621213839940441632,13877089353510258351,131072 /prefetch:1
    3⤵
    PID:2564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1904,i,13621213839940441632,13877089353510258351,131072 /prefetch:1
    3⤵
    PID:2804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3640 --field-trial-handle=1904,i,13621213839940441632,13877089353510258351,131072 /prefetch:1
    3⤵
    PID:5608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4340 --field-trial-handle=1904,i,13621213839940441632,13877089353510258351,131072 /prefetch:8
    3⤵
    PID:5692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1904,i,13621213839940441632,13877089353510258351,131072 /prefetch:8
    3⤵
    PID:5304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1904,i,13621213839940441632,13877089353510258351,131072 /prefetch:8
    3⤵
    PID:4928
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5732
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5004
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5376
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1904,i,13621213839940441632,13877089353510258351,131072 /prefetch:8
    3⤵
    PID:5780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1904,i,13621213839940441632,13877089353510258351,131072 /prefetch:8
    3⤵
    PID:4348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 --field-trial-handle=1904,i,13621213839940441632,13877089353510258351,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4924

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2788

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1520

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4592

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4388

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2888

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1064

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3344

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1852

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:532

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1216

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5820
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4076,i,1236064252342462940,13180713657498721890,262144 --variations-seed-version --mojo-platform-channel-handle=2792 /prefetch:8
1⤵
PID:5944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

Filesize
2.4MB

MD5
526ee5701f7bea04d06cf10d2e3bfc3e

SHA1
5e9663bd5c49b479c37ecbe7bad78048189220f6

SHA256
3936609bbeb785dc34166a36671de4c6090744709da88998ff23c295ae54a52d

SHA512
7d1f6be8c07683a3c036380d8d26daab77b4c220bce57eb5de8630396eb95e237bde97f602fac45c85c544379a3630db89eb96e434e4ecbb48c4c6fdf90891d5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
294ca3bf9561ea44340de3ed33227d89

SHA1
56a27e0464ab8442c1632b521df44498d4a63d50

SHA256
c5ccdfa0de3626966ba3c246b0362e51f33965c82695c2a8b42ac8e1368e41f7

SHA512
8342c306f443053b6a4fc84320aac1a715970fe9b98a8ccc72069f122abbc99ce6a84f73a874fbfb7027935f7e5a47b17fd4e136ace1a2403a98aa509b69ea68

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
fc01ca838b440ac95650fa83d2cfe645

SHA1
067d591d77f078ceb234ee7a869427964ef4b86d

SHA256
6787b64768eab479d58e14d84c04baab520216c4015a72c34c6ff57632a29cff

SHA512
2d84a4220b1df9e5dca822572424b56ac142eaf72d58ee084490d3985867902d351b3df4b6e4c54be52b2427264098d0ae62a8d744269d9d649a12f641104bc5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
69625586b36fcc6d79dde104a450cc33

SHA1
14c07f89cfbb651202893c07658a2bd22b5939a1

SHA256
2e7b9789606bbf3198a95d13a2481879b4c4df656a1a5afda1d49dc33c60f8f1

SHA512
dfc2d41ff0e1ab025911377965732446cabe9f3eadb2cf9c0c40845ae77d497a5f53938ecdca3f2286330be70ebcb8fb64ee67568a817edfff126f72937854e4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4b15ed9e8698876a65d8a520718cba72

SHA1
1e5652275f44d0e189af31638a334bdbc4c972c6

SHA256
acf8011b6426abc0fe63ab57f2aae1a710a5271265760d615c6efbcb8c774585

SHA512
77373441614989277283c630f05ac7d99ea0e0d84d8d32f0a4752ba5c580f818d78acea5c0367ff34d8a056e6f69d74351faf77228e9ba41a11fe2db41752469

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7472dc24a108c1635d56b91893c627e3

SHA1
836c0e6ac07654b37332aa55ba6be2e286238f3f

SHA256
8aff6273e1d1042e224fee19957b92cb52ef7d6aa4358135fc64d3601167379d

SHA512
98e04db434f052b72fac21e1f2c4166739389fa77a64b238eb783e565b8bcca1fbb218120fa6250aed87202c9f588b315937a5f0c8bec493f723d0287e1930f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
808f4d640df0ecf25ae83f702e093127

SHA1
0212f0e170a6509dbdcc4c4d600731182aab2c56

SHA256
216efbbb3c9e7b19e8ed3efc0d4fcdff33b4dae8a53b769a0d053247e472ce85

SHA512
e3717fe03d98701f72032e97d610c5b38e72e470676972a11834d3133a0365d31ef832a0a285f218e6609caa3ba72be2019f8dbc0cd950bb6b1162d9122ca04e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
33282fa32c6ec8caae89955af77f59c2

SHA1
0622399e5899c7ccb9c25a2b4baef9e30538193b

SHA256
a3150fff04781dc61767104a6c578fa9b3640ec815ff512e6e7d895ea44545ad

SHA512
7b2c64f03ef2abf9e9fe9629403506b2f102b2fd7e0b46e315b052b9f601e5bd72e1ce9e8713ea26d4837a8aa620faf06acd85945ca61cf14f0fe18af9e68f24

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
5a5c046dd6fc2c7ff2b79f1f2b749db1

SHA1
06127495fc0b7db33ba08ff2e46ebbaafee4bcc9

SHA256
0934430d8d9ea28c0cb3f6b59a407af76f4f0b1af7a0e2dbb10f3b5b005a317b

SHA512
e6b532de908528bc234201c069c0ddc5a1623798dd0374159444773f5e370be851fe0619de3e775caf579ba99a07240d6bed3e62e0a2be6f65710da1b015959e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8d2a654e6eaabf891443a771f6d8c03c

SHA1
df5326b3ba9f28de6333d25f8be79646b03ff4f5

SHA256
634cf92f0c65bd801f3e9bb84ba26e6d1fdb5b8c1f0804aad780e6e95eb6df82

SHA512
8ce13b7f64e91b4d4f74c7432a66398457b94b8c7708b327da919d84b4b4845e7823545b0f4b453caabd07abb5acbfa034144573a71bcb1bd5f9c27f1ef2605f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5d7554a4d137beba4dfaf708f515bdae

SHA1
9d7f8826c1de8e3aebb3ad7a91a389a53da1fbd0

SHA256
ac50bb3b5acb645e421a611df422b503b5b07e2ad81d5d86fcf71d003d22c740

SHA512
5f7111522e372ae7addab735116af9485b59d47f95b3cf9d62ce64a90b0693669a497513871a18dcfc6c5a35e062377abaa006dbffe5672936e11af7d0eb6aeb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bea4fecdf8460e2139995b512c226e54

SHA1
23893d560e32659864adc9b7716ff6c1ce2a0bfd

SHA256
78f8b3e0af2a27d974342455f6ae10eead317c9b461b21b78bc41755f9a5b9d0

SHA512
257b77d265d9764a98c367ed0047fcfdbbb5868d030936c52f74304da0b10d0ab5a14ebc0c2a701de9b483216cce23b9c53d64ff9329e0164e844f63f6e667ea

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
bbee5ef57fd7b80a11a563554e9d5f8f

SHA1
1908a00040b5d4c05ccf9e1e6ecff1a1a47d509d

SHA256
d730edbb83cf8e60cf67ee7ebcf0f8f1c66f63ac485eea07b9da26e11e12687a

SHA512
2d2d9b0de9fb3e905ce643e0e4e86fcb679336beb4e28a2f663fcee5ec39d7bf6e9a52c0c7c797e9938ef0f66e4fce0b68929125a5a6697acf3f155842b3f47d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
47c3f1476b55ec6350fbcc00a68c53d4

SHA1
bb7657c3dc985ced33a8fbe1c1da0558a99e3640

SHA256
716b16108df4f913bbf22fbb99636045a576ad8926cd2d27bf7a8b105602b966

SHA512
5dadb766354391ab134a81a0422f18314112aaa76f7fe5bf81a5fe512af6db722d349a029bcf840f3a3d60b44537ca6b2892fe7f6b54d10843dd73c4a39e6967

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
357f3533e0cfbf2923af44d4d9cd5548

SHA1
dfe0c46b270c52859904177c5988667fcd888901

SHA256
90a37dcb406bd23f0e748c9af4950fe84af0eaf7a6d980487fad4b37581f0c40

SHA512
3cc09233fc59a5213c58c087cd0ee952bd1da4f15d904206f0e51d161ab33b95545299f34b0a2339189ed54e59b219586d11f9dc5c033a4ab086ff031b14f399

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4363e4c1f3c67b724a896a17a1905967

SHA1
6406b6ee784f525293e67b141fa59fd840886a52

SHA256
b291bd155aedc0e8401ea653e5af5b1e828d71ad6fcd45f3b35a8a73495eb1f7

SHA512
2404de4f10f015541247b74864d010cd93c37ec73381b85f7867627a68d530dfa233115b2502916606350fc0e17ac11c671a2ac79014fd7b083fd4e579b507d6

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\5b9c422c-2039-4860-bd17-bcf25fb7c2a3.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f4555f399975182b6a24e6f8818efd7e

SHA1
672fc723cca0bfa8b0a73a1283a4ed1f46b7f120

SHA256
f35bf7a6e3066235128052a33e04372690fbf21771d5045fb40d1695bc9d205d

SHA512
8095b9c3a4387bb75df8d3efa1aa18ea0540ea1f0cfe722c9871e1dc71373fb2fd65c0dc19e23a20a5869f9b46c1ce8ab68cb8b4c49a47024fe0826dd79915da

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c1eec1e640bc3092a162ddf218c4d69c

SHA1
17e7de687e9f1ef2a88e4ce6fc6b9ff7fb24659b

SHA256
4d3c578546fe943d0835fa519ccc91b0efb0525bcce979524ac1ce65f85c1004

SHA512
db9b2db0e8c1f8025c73c071c633acb337cfa801322fb08ac3b081dedbb6c72041f6fa3ea1e8e97d3b7c9e6d2690e4dbb3b5296a86a9ca5efb01f35224597b01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
64d7569e7e9cd59b61724e5ca8024d2b

SHA1
7e567c8f3a278f528fd7d85d462cce4e56bb8e79

SHA256
8adde9c0e5b89d0b9041d73f1c9ef531e668cdc1d020e7625e45f7063569ab1c

SHA512
b4425d6dea07aaa95039db3491ace66ff0e4e64232309b2c7dfe29200823454c3f91391db09b01b83edeb298dd3a9ff1dd0198c13230763553160e5a2607efb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6ef5293e-53b1-4043-ae5a-699633671df3.tmp

Filesize
5KB

MD5
6d538281a79cf6ec315c89efb8d7481f

SHA1
95b6c7dd310d82c2c8eac1efab3f37bc6827644a

SHA256
548cb3c0af7d9ce62e9efb5e73eb1047852fd3a51bf5e9c03970eedcb237688e

SHA512
569f16b0054a5563b2dff5b1d9b6708b231fe350adcab0ec5f15b1fd418506aefd10ba73a71e83f20a525b37209f1c53af4f2799e3bd1a73171419001253c31e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
aac11a4cafce862a0fcc45099939d66b

SHA1
d38e46f1fbd6694468d3ed7ec2b7301d0e3d1dfc

SHA256
115271f0d7554f7fe6e5a9a8d1f2658628adeeb4c4385d77ca484a8fe9a4ddbe

SHA512
73d24ee0fd4dadc1533732ecdf6bcacce78379255a1bf70ff007b9c2969d79da54c818dd4ab89ec612864a3cb5f8a22abf5392762b109c3f2857781652cf3d73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4d836b146e370a64b1f363b54b1c78e4

SHA1
06b720d267365b2e9a1eb068e4ba7a9059e65b12

SHA256
32542fa506854e4cd5b772a5df742297071adda91b1ef30a83775fb27207a2c4

SHA512
fe2ca5050282126e4c75557d63b3235df6bb55dfa9e200db9da2bbbcd11ab69dcbb73fd6c55a5e2f37ad7dfdcc1edc2b9faac769c0cb4eadd2e105067e895a10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe58269e.TMP

Filesize
2KB

MD5
a361d3291546212f08156eae58b34e1a

SHA1
89d7162134759edc4109797677471c64824c4130

SHA256
c94bf51d6a92796deea251ef7bc1c0bad2f1fa49fd8a4f62d6800ba729d275b6

SHA512
1100cf4de624cb6e3030e83629e5574da48e5d498f1ee3508f4b342b3f020a40a58ed7e83db413dda0036f15b81c8945f9491ae351647c579362b09f2654c18f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
837c397cf080efd77667893f679143f2

SHA1
f9d49f50dde61e4b33bb2edefe7c6f21308f3f3b

SHA256
de053a74ceee5ca4f9a354e2bc568f57500037b813711f819906eedb0db57a63

SHA512
1ee11835a538a4bb77b094c66d883c817693af12343fbfae98fc27adcef65bf0e606d14c4e261c98c14fe38c49f44c9935979052e72a671bcff8e6071bc12d7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
8655b064778cef8439d5cf0e8f5f6f0b

SHA1
90f07140325c387c6a2e89f11f7821325195b009

SHA256
8a9e240c1c4fae5d7512fb5f3c4c31970356b08754c1ce2b271c6a6dfeef7d60

SHA512
20bdca07f996deeada55d427462f33fce4b21bc1e1c40fc969a378054676ee354ecef4837d5fbdef3faa642404da1e0026c91cdd8d9bb9c20bb6b32c4d51a7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
e90d428afe55a9e04063079598fa4101

SHA1
629432aea51e463492964e60fa9ba5f4e99515c0

SHA256
651e1047bbc0cfa472adfbb44c66c0e6d505b82dd4a051d4af90f52ace7dc93e

SHA512
7418c7b7a6cdfd63cb5fdd28ade421b7835a1d62ccc9674a2bdcad3465159f7d90a35b003d5bd3c2bad1937acefb79751b7b76045a68d4eddfba1af68e418b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
1f7261f029100ba0c307aa98ef44d6fe

SHA1
1cff20469e25356fc9a48ab7aa3c1ebd1e788ba6

SHA256
fa5656fb09aa8bcbcf07d8025568aa4f7536dd5cbe160e12ea3006e50e36b69c

SHA512
651a9537a79d4d10313445a294aa0de7fcb5dc59dde2418c4fa09fa8960ed05239cd28d33a04a71a18ca8c958e8739e7b3951c74524fc6f5e975413dad656a79

Download Submit
C:\Users\Admin\AppData\Roaming\b943bde085dff9a7.bin

Filesize
12KB

MD5
43c77a6a660e01cb69146eeced5fb82d

SHA1
9657a18642e741b7c0f345934e851d8707d5cefa

SHA256
03043f49ebe7dfca58abb60dcd6cc5b5783763d7838ffabd3bca7cceb45e016f

SHA512
4ac914aeba0d7b623592713192c5d7205cf67ac9e002b230d01b27894a5b7edbc68f6fab5a92b7130c792292bae82918ce415969597d6fd772113f98d1c94718

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f95fa77647fcccbfa8b818e3fc81b795

SHA1
43cb8c6b1ab8799c9227dfbff1b7d6a62cdfa0b3

SHA256
dbbc482a09aecf7e3936f8fe5b3d66a199be9b4b2982f47dc0cc20aa5f8527a1

SHA512
935bf275c32d88d01d348fb3a187bb31772ce2e603e063fe7be5ea8735adcde5bb0b65ebf17b3c3f336d1a0043ced30149b50c5f817e01d044243b88133c8b4b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
10893d96ae4f06b10719340647d9ae55

SHA1
e6bbb663f84875cff1db21ea1d612d8c30143bce

SHA256
4e580fe4cf4148c0b8a9f10109664054516431ec7b3daf61a53b6b406fbc4bad

SHA512
f683b22589388dae3a32fd9a36e469ec47b23ca4349814fc50be651879dbc4e9a0267b4258702b9043c9a3715629b54cce46e7fc161282db862590f5022ab0c4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
dd02fff78dfe8362f3bdcc6a83124e6b

SHA1
701630606053f1c18d01b39a7b2de1d54afae188

SHA256
80a3fa193539f6bc2b858675e89cc254f244478d70c583d0e5e1152830ec8adb

SHA512
dc72099fd0a4ab986d6e959e0656e526c465d567c7f61f9b3bdbac38697eb646a21db5df9691941c83a5f5dee84b87d2919d2f0879b610d8e79f19639923d565

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
11f8ae42d46104c15ee3b8468cebd49c

SHA1
05d9043d6a6be5a3c2175fe123ac83649dfbfcb4

SHA256
3a9a0012bfb1e2d75222750480c9d725658b5928ff538bfbc1f31cb7b084b192

SHA512
6a4b7f8782952437eb735fac4431cdc0f116b94c954eb2039ae4cb2507281f6f617ec54cbf8dd9ce72285d28f322a6a7ec7b2791f390601e2c462f28b92a330c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
21ba98de13c0bef8052bfc06a2afc54c

SHA1
9df1aece1436578735976130fc120fccf082afde

SHA256
8fb0b9c6d39b1660999691d8a8695ef8e7608739667529da5d102ae999788a5a

SHA512
751bf7ce179b069a32e268eb93bd6b4758002e2917520b769181634198d72cae00baccd24513ee4187549b7026e02c37ca240a10004a44e4c905c78aa0490406

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a9d46c7e87bc10d24314fa5b5f1f7275

SHA1
a568ddd3505ee5b8d28c11402125094285f052a9

SHA256
8c7697780c39b3945deb2f30fb5358548801253a616e2110195adffaf726547c

SHA512
d5b0f9ba10ad9ea032617f54655d2304be6e8aaa076b48a99cf40243f3f57ac6cbde3982d3fa297dd4874dc4cc5bbbd0890754f2d211bf8529b63d24563be541

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9ca3a8ac25d53731281b609fe2f08431

SHA1
c1db5094e3b1708a311f36b3361f169717b048a9

SHA256
f6ccc3d292f7392206e9636c8c036edceb15edf6a82ca37d396567610170984d

SHA512
acc8a5c5ac668b819b202cf375b1b1df2a4bff3de55406a2bcc107cb151141996006666e6e9d02bd5b824de7c0b0381af3d5804c56cbd14d537db64f48c924b1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
62840aa62aab1f7ba54fc9abc36a2510

SHA1
6629b612ccddf4c68115cfb53df70a162fe85038

SHA256
c3da74316d51321af52b6f52fb4d374e5c79d9a0b0354b4ba9667a3456d12b17

SHA512
d3b23cee2f176ea80fbf85c2fb883d9ac3d8e3a2bc78fda4bf9194ffeb01189ccf91c7f353db434cea25d6306cf2fe8635ac818d89ddd37f8d3d28febc193642

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a14df0ef9569e594cc33c3de20608a4a

SHA1
12070f22fbdcdad205e46fd580546bfde8369b79

SHA256
96c4bebe60a134e67aaad90e0528e8c5af6bfc2363dc35b98b18ffb692f7e633

SHA512
af2a1e056a5ed8e05ad6e8e9c5e4ae8198370e604eda640d1cc5129e001a9b0feee7661665c4546ffcd3f7294b941d977bb48937741e7705560e7e5644bb5733

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8735c38d4031993771fdb20536fb3478

SHA1
bdc6e5a48ab0c742f46818acd9223fcebc87bad7

SHA256
18a76409d3720eb5905d39c946910e718bf20190669eb412abcdc6f91ba8a588

SHA512
efbcc44245936ef85b4476705b2cf6fa68d8f638433e97dd45722f8eb08cbde7b0eb6f1ccb1ff1cb5fea3469b1a57d9960b5070266d7691284a9f6f04bb2e65c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
597936cff3a95874178bb8d71a911b9b

SHA1
025aa8cfff3065d691f81761fc9f60a7d34fca6f

SHA256
30456e0e3c2753bce1e170770d44393ef983632278a76b78c6d01fbace979917

SHA512
1f07b3ac9d53c30505d090ab8b8b850ca062209a87394cf3e80b12593f8e9a7fba2a43260712b473638c66d9d09b496164ecf6e6b20550aa024fcd7cdc9d85a6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a550a05860bff5e824cc2da1ffabe16f

SHA1
f3109d761ee41c0cd2db51130100e55d5bc2349c

SHA256
ff77039237870b7914c0fb89d38bc3ec8f4f066b333bab2c3c5614e04a16f8a0

SHA512
70ec780a3e7f5c2d2b0cbf19bd99a33820436a7da24fa6252b5983b1d05badfcd190d950189e8c655d1dc3589a5578059fa2fd9d8815edf70b01141113037493

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
56fe083f7503e11b9ef6cbec8cb06f7f

SHA1
156209fbcffef1981ffbef204ab0ad737f01de64

SHA256
48b1fdfe203a6bf2fb2b199d0be26fe12a9c85ab444b1d6ef977a891eac45db9

SHA512
aa67e700b851fe5dd68f04f75b1cf5efd58ba9114fe6e18813152e8a676f3185803f1383b2b558e7d60101ff759c04d9eefa641b6c624c3907a67f866c45fd45

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
19271b88a1907d25c4ebcce065f690be

SHA1
83e59be91f5c400f897df85b21ef6e2521bd68df

SHA256
6f08da0125dcc79ce81fa571a850e83cbcd0b08ac72b46bbeca4dd65a6bc816e

SHA512
dbbe40abd2cbf96d0285db0ca1248dbb7e06fe588614c62d906dba3add094eff22c53811ad4069561995ebf43024a1835f57375043cf62931def9d4dc30a386a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b3a053c03fd393ec74429bf12ec68b8c

SHA1
4a52f533cab5ee183ed68e5aa63c3f9946ebc415

SHA256
d41394c27ee627c6a96724bc4ffb64794bb52301febd62093ae4892b94895016

SHA512
3e678052aeecd331eb75892dd5865c7bc3eb0f1507dd229c1e117c9ccc08aed76487c05f7b90fba83414d1fc8a80095d2ba9c1b948425867d62615ca508ed2dc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
94017b341c7cad5941f49f2c166f6a2d

SHA1
6e81806b1c74de1ed449ef1e74fab9597c1f4dda

SHA256
1ceb8ae50163803733a0a8f2626df893d70890885926081cca61570c266aa59f

SHA512
88b2249daa7b261dfce44a839d4cab73f980a6db1b5a2b0efb35b48a0ff6aac4ab0206926e6223a95ea7fa910956cc50e615c144a6dc6146578bb58fc08e58b9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
10a2cc1539affe986266499917e83f2f

SHA1
4bd6490fc30891a57f665f9bb33fd5269d12059e

SHA256
a59cd1239f1d7174f81b80b231cfae55f167e0fd9c962047174cb93bfab9b64a

SHA512
e1c1a3a5a997df4ef3372f2e9639bcf268e4ad70cd343e0292c48df8d00468de2f0183002e7ba9e038024cf26b0dfb703e3d0d1cd88c0f4866eadfd3320b60fa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0b666dd3b591cce54f0a2194b0cf1139

SHA1
7cc940fa197265c5f67c171dd0ee42b3d801da73

SHA256
7c834e4d94c4821c5850aca41e353dc9816cc2a42a2f6a2fc7ed0ba896cea419

SHA512
afd07d7e6caa9b26e17848cd8b6fa029acc0d65305b9a4093a6257687a385d6773f36bfe2e1a32c261a20668b14ddd2b5e6d39fcfe88565bbd4f3314a1dee5f5

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
c75904f52c5a3d06d039d7e29d12330e

SHA1
01609a94c02faad94d2500a526a955eabce1584a

SHA256
7ead57eb6e58b3ef599ff51ceb37d2b3e4355de28713b5cbcd0cf56a442f65db

SHA512
b55a3ff4fb2a25ca29e8a4a562166e5c13a6b63291df4e626bb19d33ee03cb9056dc9348ba28cb35ddefc13c3b162399cb260b91c85b2ccd1ab1a491ea1dc162

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ad28dbbcc8d79d0b3ffbd3a65f59a24e

SHA1
a7ad477767608512471187fb68ed4f351cb5a1a4

SHA256
09a90544c7a53ecb11a8bd7b9578a25426b018d06884933ddf5a1a9136026476

SHA512
e4b7e9fddfca3a34d987c95747ef2df8ba4cf3b7152b354ec325dedda3ffd1079f993d3bafb494783f8ffc83ba7216e13affd771295a91ce0c8ab1afcba0b9ca

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
35bae8e2cfd5a9d5cc31e1865e596bab

SHA1
f5e6785f0adbf755d690df52cd59ed817014ab46

SHA256
6fa0bb523725072314cbac16aee33528f17cea6f0eae134fca303f686f519fae

SHA512
042312b1ac0ade34453dcaa51bb7805afb59505c032722cead8a0fa9439881ec3bdcfe028092e34e897d1891a5ac1a2c3582b4f7dd347ecfbabdf07656512cc9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
985159689779a6a72241fc8b4d36f29a

SHA1
d89e2fc11b0b3aa5c57814edaa9fd7947f15790d

SHA256
5956fc73203bcd427c834b2c79bf64d6298b3301a51cf06169edaf0b39b479ab

SHA512
004ab37223b4e46a31ba4a41f05a2e97cb88d36d15bec6f4555e0d9f7acb8f3e6968340dee45b7055b470e2aac7beed541219ae8b98e92a0c505b86d365803c3

Download Submit
memory/224-43-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/224-44-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/224-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/400-27-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/400-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/400-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/400-9-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/532-262-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/712-264-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1064-257-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1564-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1756-266-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1832-265-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1852-261-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2168-268-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2168-532-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2240-100-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2240-256-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2448-533-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2448-269-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2788-526-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2788-42-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2808-56-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2808-387-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2808-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2888-255-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2888-96-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3344-259-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3344-498-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3428-518-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3428-24-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3428-17-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3428-12-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4376-263-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4388-254-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4412-79-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4412-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4412-83-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4412-73-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4592-531-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4592-253-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4592-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4592-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4784-267-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4900-258-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5004-534-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5004-442-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5104-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5104-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5376-478-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5376-459-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5516-631-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5516-469-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5732-489-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5732-433-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download