4fe965dd91598344a0e64864176a984e1e3b6a4269cdec6a207043281add5c56

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 02:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
Size

4.6MB
MD5

37c7a986c22950fba2a276d4bd1822b7
SHA1

a6f463fa725794dd65c79afeeb3f3a25a3084382
SHA256

4fe965dd91598344a0e64864176a984e1e3b6a4269cdec6a207043281add5c56
SHA512

8f56f949c742207e4e4065c26a011e098d28fa684c54d96ca32eaea4a8c2fec91ae2d8b7451fc5093bfc95d764b81901c2150920ab3a79c4a428119b582a697d
SSDEEP

49152:tndPjazwYcCOlBWD9rqGfi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAG+:J2D86iFIIm3Gob5iE3/iyB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4284	alg.exe
2512	DiagnosticsHub.StandardCollector.Service.exe
4480	fxssvc.exe
732	elevation_service.exe
3340	elevation_service.exe
1556	maintenanceservice.exe
4152	msdtc.exe
2420	OSE.EXE
4176	PerceptionSimulationService.exe
5088	perfhost.exe
5048	locator.exe
316	SensorDataService.exe
4880	snmptrap.exe
3576	spectrum.exe
2624	ssh-agent.exe
2164	TieringEngineService.exe
3208	AgentService.exe
1112	vds.exe
4940	vssvc.exe
2792	wbengine.exe
2252	WmiApSrv.exe
4300	SearchIndexer.exe
5276	chrmstp.exe
5412	chrmstp.exe
5556	chrmstp.exe
5632	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\40e90157971c363d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105906\java.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cfebeb939d3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f886e7b939d3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0ef80bb39d3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ae284ba39d3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d8766bb39d3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3c0e2b939d3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008276b5b939d3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3bb5eba39d3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6b137bb39d3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000015b1eba39d3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2764	chrome.exe
2764	chrome.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
2512	DiagnosticsHub.StandardCollector.Service.exe
2512	DiagnosticsHub.StandardCollector.Service.exe
2512	DiagnosticsHub.StandardCollector.Service.exe
2512	DiagnosticsHub.StandardCollector.Service.exe
2512	DiagnosticsHub.StandardCollector.Service.exe
2512	DiagnosticsHub.StandardCollector.Service.exe
2512	DiagnosticsHub.StandardCollector.Service.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3328	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
Token: SeTakeOwnershipPrivilege	756	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
Token: SeAuditPrivilege	4480	fxssvc.exe
Token: SeRestorePrivilege	2164	TieringEngineService.exe
Token: SeManageVolumePrivilege	2164	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3208	AgentService.exe
Token: SeBackupPrivilege	4940	vssvc.exe
Token: SeRestorePrivilege	4940	vssvc.exe
Token: SeAuditPrivilege	4940	vssvc.exe
Token: SeBackupPrivilege	2792	wbengine.exe
Token: SeRestorePrivilege	2792	wbengine.exe
Token: SeSecurityPrivilege	2792	wbengine.exe
Token: 33	4300	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
5556	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 756	3328	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe	82
PID 3328 wrote to memory of 756	3328	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe	82
PID 3328 wrote to memory of 2764	3328	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe	83
PID 3328 wrote to memory of 2764	3328	2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe	83
PID 2764 wrote to memory of 4088	2764	chrome.exe	84
PID 2764 wrote to memory of 4088	2764	chrome.exe	84
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1964	2764	chrome.exe	112
PID 2764 wrote to memory of 1176	2764	chrome.exe	113
PID 2764 wrote to memory of 1176	2764	chrome.exe	113
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114
PID 2764 wrote to memory of 336	2764	chrome.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Users\Admin\AppData\Local\Temp\2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-11_37c7a986c22950fba2a276d4bd1822b7_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff229dcc40,0x7fff229dcc4c,0x7fff229dcc58
    3⤵
    PID:4088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,17319233694498788584,14026704765231481132,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1916 /prefetch:2
    3⤵
    PID:1964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,17319233694498788584,14026704765231481132,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2524 /prefetch:3
    3⤵
    PID:1176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2128,i,17319233694498788584,14026704765231481132,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2608 /prefetch:8
    3⤵
    PID:336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,17319233694498788584,14026704765231481132,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3152 /prefetch:1
    3⤵
    PID:820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,17319233694498788584,14026704765231481132,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:2924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,17319233694498788584,14026704765231481132,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4476 /prefetch:1
    3⤵
    PID:1984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,17319233694498788584,14026704765231481132,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4788 /prefetch:8
    3⤵
    PID:5184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4956,i,17319233694498788584,14026704765231481132,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4968 /prefetch:8
    3⤵
    PID:5228
- - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5276
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2a4,0x2d0,0x140384698,0x1403846a4,0x1403846b0
      4⤵
      Executes dropped EXE
      PID:5412
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5556
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x140384698,0x1403846a4,0x1403846b0
        5⤵
        Executes dropped EXE
        
        PID:5632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4996,i,17319233694498788584,14026704765231481132,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5044 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4856

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2568

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:732

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3340

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1556

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4152

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:316

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3576

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3520

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2252

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4300
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1356
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4a3d725b0c5cde2d4c36e408947bb106

SHA1
6a6d719341b507ad0e74cf0e0ac273424516f9da

SHA256
73521c60adadf8846978a66401b7882842f393450f36ea1d098bdc8b6628b68d

SHA512
0bd1e993cecd3a82ff886092b2ebc97c66c044439430157840bbb73cef42629aad4fffed0c1c85530a05a7112cb89d813abeab2c8ad230067efc7274aab20869

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
0ee5ce3e73dd29fa052bb4fd88461e9b

SHA1
1a59bb624011e2238382cec59e2ea2b936176ab8

SHA256
72ab0c61715606e86a8997faf2d0c688b62f1d8b210aa927e7ac9f020f6c0a73

SHA512
d6154fdd925510eb615f8e1e745de08a77c25978f7b7606d1de855ecdf39fd6744c737df090e828e52e9072dc50d17a9d872214056bdc2e10543693066115991

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4d67c5d18aec9696aed2ac392e560a57

SHA1
0a7656e59bee0edcb59b68a96258eedf5e65f777

SHA256
fbce25cc4ee7b1508443368ee0bbe3f41e8b21a097a374ad42ee375ce7e80e8d

SHA512
1df453965dccc435ab4bdfe6fa599214b4656b94ddd1f0481e07876673f8258c3ea12c504ccc727f43808276cc7e92cbbad5afd2a159eb97d32ebc651a76a3b2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3f91e940088fbdafc21595b7252b03b8

SHA1
1979b000010956aa391be370ad05e8226f414f1b

SHA256
b56e8528c04337919540ad18e5d4ea604cdd0e43a8a996d9662e4325983773eb

SHA512
6702b9e01d59b6ec2f9b09d336b6b2bf8e378e450b57a93ee877260384e6980c4bcaf0c54333b429fad26f521a69b40620c4e98109c9d4909124b3aa09f30d5e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
82e35c2bfd5520fe9d5f4ce907d67fbb

SHA1
3c28f7f72f01617f352ca86c74728ce234e578aa

SHA256
f709f7620bab6b76a924b1214c47d3b4007c634ba784c7c0bf957a7c328bc057

SHA512
843ea16cd71c1f1022fff7fd1b4f5ea436f05d5f04b2e13cc80a58d8b48f4f9a405ba81ba2471f37412ddc7d2ca43203a0b058ff116dc50582a5dc463689f4a1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7d163355ed61cba02914351052a74ea8

SHA1
04d7ce48a81d33a6aac74323ea487f6a7c261f7c

SHA256
fd5fe0bb9cb9eaadc095dcd9177eea40a495f2ceec6a5047dc04684e780390c9

SHA512
42bcf10263ac6d7b8e4a5d95e7ca81cd1e7bbe1e52f3226b1e2fe8aad7783c82045df92c19c77dd58cef6ca4cd1e794aebd17d3f8a93fe554ad90ee941443b7d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e084318e5af66ee29cb9c5891f898bb5

SHA1
a6f8f31036a80a809887ff1cb3564aaae13cb1e3

SHA256
414d60a10f019a92f890a6d99d7ad6c6c04519b2289dc34b3870b3fd771187e7

SHA512
3ae7dc25f40770021c635d99fabab516c2f4958f9d4cf454cc4d5fbad8295b5a61333d0750e5291e7ab530fe143882e2895eba44c9c58ff53e7fd76d1bbce537

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
27a3b5c535fd35ee09322a9908fe5f08

SHA1
492dbd7dbec5e5d2b57655cf671a765e4c681f7a

SHA256
fef9d0fb5703556976eb8f78b70413a464e9a0049d836c0c0deb215b7869cfa9

SHA512
deb732e8964d9b91e1f7f6666104388b55806f338b4324d1622475a8c8c31d3048f96c8db2ec6ee46c0d8e58128f0577e4301a4fb1b29027d844cb469629f0dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
353e0ffa196f8dca37a0e95f5a2a0024

SHA1
cd0d4b1c6c44faf53bef700b3cd0aabecd32b565

SHA256
ae3f86fe26d131548bed8d2b204688d7d9725df8f6a4e23e27274d5746c07805

SHA512
1bfd1b78bd4beeb94ec1571a52b6480e6431b9394d8144415eb9da94086f023cd8690372407a9ac0a25db6810927d22ee7ad7c60abe78b3d8fb7c23bb81cc451

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0d0865001054ca7fe9f533f01f5ddc21

SHA1
d8565bfa03ae9b5cefbc2f985d78d9ef07512f75

SHA256
d515c1d1aa79c453ae325522924a86dec3648a5b61f801704827df90730dd18a

SHA512
592bc209249f84d077e64253d37f21d0b50a00105f6aa3b80a4859f7c61dcf5fb62159b54a8548110b07cfa506e237f59f699beb4ff766ccc943cbbe33b802e9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6708c882645459b55529290663086327

SHA1
eea43637c95471a797baa274d003ea0e622e6762

SHA256
5f750fd31c1e4491bf41219558165118e7c8418da892cd52ee9401b3729c8f4b

SHA512
8558949d9ba9c168430240795516b03710f58a4bb213222e2ac68eef6fa0feb140f7b57640024f4aad73dc08a1b74046575e26714e2bc27e722bbd8adac98294

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
760ff6cbea83bd3e699d0f0b6246c9d2

SHA1
81d1681bc4db36ac44bb45484876bfb8a2a8d84d

SHA256
3ae2de614be89b527763b4bb21737696eeee5c1cd2fd90a295130efe98091966

SHA512
73f373b0e3858ba8304e70489d0aaa036fe9eb5ffddd046f8d02ee13b443ecab4d221f2c302d01a1b024f209f3f8d0a670d9abc1171076ebc1beda8ef6a83477

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
350204effbdb63890b5345c96daa82c6

SHA1
2a5e4ebdc2e6593c0176b632e60e15a533d2a63d

SHA256
072cadc2987b14f5bef57abb2f6c89d7fc500b3b79b38f5b93fa1c0f55d68a21

SHA512
bb03ca73434619ddfc5153cd701949f2609ecbf058866f14b5f7f5bee92e236a0b077454d7faef8c9e54717a6268fe985095bd3e4a66e1f3346dd569814a5b6a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
00aee5be0472f6142ad4624660fddf2e

SHA1
44477fb2f1b42b7aae9a4134eaabfd052ed4df4f

SHA256
408635a226d62fdab83cbeb48f45f980d249f5cda59e16dc77342010051effdd

SHA512
f9b1d1bc6598a11a5795f4ea6715adacd587226c1fe264fa789696b509ee98814058d37264b4d3d65de113dca3afa07947bc9c699b985ef9b324de1bd40e173f

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
0c218d46b367308f64b3a9c103620979

SHA1
7e47a14c921ac65ad64b52a298225c52ae94e982

SHA256
daf58f2a04426db747def66f077f560fe7d30495a71301006094420cd721d946

SHA512
bb022fbff07cf0e5cec647b86ed104d9030b229bf84755a3a9fb9d5ef41e646b00b12354899c2c1b93e909e8f092afd1253b57de7085e58890c35f151077e30f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4d0afc7abb428573f15567a9534485c3

SHA1
ea83ff6dd156159841b7eb5f7b477e139508ebd5

SHA256
f3e352018a1deb40ee7bcefe236adc331237f45b5e4b1f58271d1ecd03d93f33

SHA512
c2235b05521e9dcd0fc3ac9be335b220607127e867f4b1f2c389c1de7ea6765a6b42630b296275200bf21a783b6a759c5a915d6d03ecdf01de1e949966e77b5d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
d4bf81f2f4edb64d61250c7635c5407c

SHA1
10f7d964a05985b39d7114c7e9629a90537b788c

SHA256
e4fdf32fc03ba1bdcc3226720485d6970fe47fd69429e17b2ce659283e728c63

SHA512
40aec9d3bbcee66715334309d20e47bd811f1f4aff3fc505ab1a6ba25bedc832045b927220524ca1f29adf49f0f7e3984d668ceb06bafce994fada18771873a0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
7be3d2a6328b062194d7bf1f29e05b64

SHA1
6405ddf1dd1ba5347f8f826d1823e53fb54220f6

SHA256
cd0b2a138a443e5ebd93dbaa0cd1594886e596d6d768023e1bbbc6991e35d7fa

SHA512
d98beda9e1aeab7d5d51ea278519ec1c3a3842184403f061c75c785f3acbeb9ee49c8ac4894d3aa8b437540df8acceb391d50fbdf7124d82182c30adfe6bde89

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
f73626b7ba2eedd1a061bd5f55c62aa7

SHA1
ea340f05f8e125da793fc1b979379beb0941890b

SHA256
b58ddf682f805ae2f45b6f451c6cf77957549c2f5eff7b98671ce252579d38a9

SHA512
a4fad109054d31c2dce9c6869fe739ce75285bdd3c51c7e15ac7c2fb573d44d768e9daeaab5989fd0ec4d839157e1ac3354f82ec27838ac3d053158a8cf96128

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
cb604380b6c6955c941f9034997d6b69

SHA1
0e188e257f7263d17593fca7c5eea40ae8e5afcf

SHA256
f33d482c26cf100634f67ad1de126d13a247dde45d65c08cf654161c496352f2

SHA512
91c9faab87a5cdff8fdd73c9d6eb67a62d442c59dd1355d7686e9af3206556240c2cb7aa23060593d584ba770932fef2d3f03b604703a45f11da9e9a47074f68

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\958efcdf-cd09-4946-be59-ea527a788627.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
cc1a4cde0fb2ff111296f3c09b41ea78

SHA1
a3fba31c2dad00bbb76d9764933adf751dd74b52

SHA256
eb8d27af6c296dff71fa0f150ca4c42e2d7ad5edb2ef68d5a0e9fd3704e2cdf3

SHA512
a1aece6be2091d6e6288771e3a1d4e427cda58a1162bed3b8e631156f99690dc75197987a84e35502e0f960aea9b4a445b2ae0f787da566389cf81dcb8cf6984

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e8d91bc7637d469efbc4c973015a6444

SHA1
41fd625bc195506f8885274bad9e1ee97d49723e

SHA256
c7d95ccbd9e28ba451e26fb1e76f4d9d2ca8526962898e8fd5f79a85a7e902b4

SHA512
cb29be0e898ed25dc36ba50255ec9d69339bd29e25f3d5b98029313948b7d7eece31def22d9b7940ffebd3d18ec5188751bc7e1ca909da783f00048fd5c4738e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
eb34235c695fb3e43e6c9d001705bcd5

SHA1
31a3707174b835d8f5711e4ed95daeea7cf36278

SHA256
860da3a339a135b160f609dd7ab7797a679c95a99e833e753236491cf3247e7e

SHA512
caa6343846c33db51024d383228f45daeff36a9380d23ecd81a214366baacf557b08bf6eea464d022c1e133ed1e4f6f6f92a6e11accc0e6ad91363391c92d06f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fdb2807d6496b3b914fbd7fe9e6a6d07

SHA1
0aff368e669eb8a2ef9e92bfe2844e356d3df812

SHA256
b0bca94e3a7fc5cb05d72fb7dec3f46a646dc8c0b4d9b760f08b12f869d64767

SHA512
2234cf7b7518f4b8984a9c487f13b9c8a114b25958ff5bff24783b557e592f28a8ca5ab4a060d90f9b36671af5399144e6f6675229d19b1899a66fef595fd9d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
beb029a806e4e87316bef0ce1ec5efef

SHA1
ae91c79908798a6ea88d3d92d68de0d23e7cbeb0

SHA256
4fac62f93d42b39c6a6c6ec6562817bbd50d2f1c4e870b8e47c6e792eaab1c8a

SHA512
67e66ea2c0dc2142d0945ff96182205925ad9d4882804a12433dc0fbb4fca1e34a7665be6fec562427c4624aa14353d9cb0d8b6fbcfd203fddae6437ee3d5040

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
195d35e29caaac53957e8d4eda5294b0

SHA1
61d8ef1f2ce1e1c8f15e6c52f0edc90e9eb94e07

SHA256
dc44a86b9f06c0c80ec40e1900582428474548838921665e66d4f8ab838c0584

SHA512
31ba4b513c7909bb4c395bed74a85800dc17a19f279c9cebdb7e357bf6a91297212a9de9721ba1ac6155d0f2743f74285fcb5865282614d3b0e7ee56526604df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c93214fb6e3c5774d52b01ae482307e1

SHA1
dc8f33d116f25bc8cd05d490f8095639f379925c

SHA256
b9d3ed66624d840b02b9187d60023d4d081cc2f27ce1a0a6cc24fbcea73dd56a

SHA512
58597daea4d6cd14ac28848970b37e7f12171f9bbd36d61b2ccab910f658103836ecf12b07dd04248feddcdbd825198cb54879c62ac13b236939bb990136ddf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e64bc71584cfce3c17c10673ea244a30

SHA1
7b65e51626056097db147ec9a9bf9fec395ca78d

SHA256
328b550617149a735f1810cc0bc2bb0c7b8cebd407512699bf22b8edb148fff2

SHA512
bd3133b5f6168756ec734642b94c4a283fa43b4bdce68a413e037304fbd185a874d47c96703dae4704c508a34e077416912bcdbeefc31bf123dc21b2a62a8578

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2f3f444613faac21d7975933c1bdfd70

SHA1
c1606e69af12b142d30dd06e43c4300c3d934725

SHA256
d3eb41f376a7138380315b8bce887eb338e5d7a0ca9af18e0ef1513ff370d76d

SHA512
a844c05fc0ec9f896ea9553485cff1ae3130450eb779de0bffb4ff430d1de5dea860ce896747f2e62e035f87fcf2fb71d74f9671cf42d1b1f515d9c21bfbc55a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1c10b8faa66ac3d4d2de680f639f921d

SHA1
a7a3c6e2a9cbd2407b31a16514b9af45c9993359

SHA256
ca1d2bf1775816160667127224a47b803b1afc8ff2300d97fdb3ee388c5c605e

SHA512
ddd714ae1add95d74ddfb668b878cd9ab4a65f2f2323a7d49089a1ffd8a537b5f870459ac5c94938c297657d77ce0714bf61726676fe3adb5f1236d5be44f7f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ffeb1d91329c4ba78c1eacf284cc96ba

SHA1
9d400fc582a02d2d438cce583e344ca2564e6e89

SHA256
04928d21a1168064a8375a06b4aeedb334d949719c0627c321dba7cf454a42b5

SHA512
c2cb4c5a0b72b7a341a037808f3c309884385b7cf9284bad6bbc8ddb928444fe7a6095769b01a6f0c6707c5d4c1fee1a6dd620f371480ad0e088528692317548

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe58339e.TMP

Filesize
1KB

MD5
019eea628aff68d00e17621e5953ee65

SHA1
ba06346f6933e74b79557b5bd48cb43e40e13c11

SHA256
ae24fed915c6b239d6f310a2a709d88ec9d7b737b256ac5e2d040dab5fb559e8

SHA512
4319ad81ff5c36a7bd7ea310395b5775518396953f208fe86298af8479c712532053a3f914a60072ef14b9f75ce0fc7f0660e202346f55e57eee9ea99031b9bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
10c3a135244ca7448b6e29937a12810f

SHA1
e286d383552f7b8f2858192c6fdef363b9070f71

SHA256
46bbf378b62d8785a4710e508c36d8a79ec3e6bdfb321c573496967f23679b62

SHA512
c39db90f0f8277d881f929d4f5fbbde108c65e094845278bed56db1e60ed2c243279a9158bcbaa7452751d4b727fbbc7b559d9e1dcfe3fe7ca8e49de5bac9a2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
181KB

MD5
9af6984d798880c4b5eb7076ba707ecf

SHA1
2292d4f91b20890126a07d06e9244933fd1078fa

SHA256
4d119daa3d0f1ed290f48225429bdefefc0e469ae4a6a69c77b3a81a257eb6c7

SHA512
1ef5124249b409e8cf4fa0b49d53042f5eb8777b7ffd1b6ebe82afbad9dd67c6509da62f70f6b4712ea7c36a2cdf1a4ce20385c1ce51bcb5ed49ef5e61894bba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
181KB

MD5
b23c5280740a98c713f868a6bffb1bf7

SHA1
6bc840019ade9f738504aca1ffe7e94d39e45795

SHA256
db53c529d4b6811efb87ce2cdab5e2bb6d5eac9a9836c778001c19db21f09d09

SHA512
5f55ca15bf031b335eaec0077a65dd866625729eb58f8ac7f5da31dfd286aa7a770e34015968330a1dd92861fd450f2faefbd44d4b3a01c3d678c87b36990492

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
900dba6da0e1f05807da1633eed9eb0c

SHA1
2030e65cad90ffc5cff81b483506755015b7f95a

SHA256
ef516d4896a34be76b20d6811542c9709eb6b4c702522974990b11cd92a9abfb

SHA512
48067144189dfac952c2b6f747fd4246cfeee5e7244e4b8baec4062c627cbdd62ca8a0d4452bf785d6329306cc34edd1d3d65692bc1376d8a457a7a28f2fe6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
98bf8d7586c1d084dc19e0d2c74ed450

SHA1
d3766566dcea029b8cf9dee658f67d734e53c69e

SHA256
3ebbd2f1d636cb70934f16a9a97444510778a428eaed079a9caa18f7b324e137

SHA512
be1a773ec7d328313020b503c8f533d499a94ef3a174d3f89c79fa8e1637d59a7db526da31b5a6d5fe0115ab36f772fadf5f31b02b9f6904c9ba2b21cbb24601

Download Submit
C:\Users\Admin\AppData\Roaming\40e90157971c363d.bin

Filesize
12KB

MD5
7dd905e640702208f69b912e9b9e65e2

SHA1
126380e6761792f5863d61df8bbd78316b697069

SHA256
864cd2ad4ad834fe011cee854481aedc456be7c909b892be58f0bcdd308d23ce

SHA512
b22a3462b2ecfc80ca9e703841e223d3ed73886542a9412a3f38cdc9c0deea1b0ed685a759667e5e451f1e39a91bc0fea7ee9fc5a9effa1a846da0b859bb474f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4a7c7529c0489799bc1fd98e3c8dbb84

SHA1
1c83714f2a75890ad93bcdee7a5ab72c59d96ba7

SHA256
d3f553b1b9def211558fd5b82aeb56a7b5254acbf1cc1a72f650f4f3d4b3fc25

SHA512
9dd73505a73568769e3179f7d4a7fdda407f57b9ce93429bb008cd72663346f28135dc989b5b94c3723af22a6c8b067056536a312a4048a3b5434decd1c6915a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6b811e965ca4979c1fda4b96dda12a7f

SHA1
c11fa35b7c4b5b77c1034ffb4ac6f360bc1ea63c

SHA256
cf5df3d524394b12a86aa4eeded1d015dc5ee983a76b1f32f2d416b35ebee194

SHA512
53d8dc2afd9c44d8c517cbf7c45465bf47b452097c6c06039cbaf93fb72097c158e6a098e66814ddf009be4f4c13a9d418c27439c9f1e39f7d17383a531c3712

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
243b8bccea56eb819c5629740230d1e4

SHA1
6e0d6120fc2faeeee8856afc6e64e8720da39a0b

SHA256
2bd8cda6ca86bde735aed0718ae6b1ce146967f5daf2b405d701bf68ab3ffa86

SHA512
9490bc92f0fe7df013ef5bb980fc07e75e3826e0e308e0c7ceefdfb570dac6d2122a212cde91ea7c12b907df7dedf53fe82bcfbfe2243b86862aad85776ea61b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bead09567dd1c217e24e98d3ee9b27a0

SHA1
2d4fc8625705ec0b25a82cbb6d99b3fc9823e1c4

SHA256
99e2da4404fca6323152c980dec896ecdb2d6643683fb0adb67da1f2528ad107

SHA512
321acfb3a6db6aca717a40646ca4be4006f4ddd1d02125b219a5fc723e7dbfc8bb61fb5039cd2d8080bf8e2006b1d09c17a1b43bd2db709bae9107e22683d664

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a255ca4b816fa438e91d569e77a2152b

SHA1
3a0660db56478ad0b9698a6323df5367b99d6ef9

SHA256
c136d8eb19a7aebafdf72ecdc2772ad46f18a8aecfcef954544e0e1f0b89eca8

SHA512
1d0c2d60ba71c87793450ea53778cca8e14f0c3bd03e3987e21515f930ccf763e4061dd9f01e2c534116a837c3e2f5ca6caa1fa35e4fe29beeaa85b010f5dc22

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
15dbd6948e6b782215a25903a1fbfb3c

SHA1
6709ea69a69342ef005b5a465f515a6475ad39a7

SHA256
976d258536cbded15f9ab381299bd5666125f6ab4f3c810333be3e9a56a4ac29

SHA512
6c92f5715d152fd386d0211d85c799c5e8ed2733d06c6c86708b182deaf379935a69334fa4f3eeceaa4a9ca6a6d9d2ea25209cd8787842542830d77f179a5f9e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
85c2bde6141d7dd7b8e0efb620cf0c17

SHA1
b14dc71174584d9b0dfe6fa922fa7f870f954334

SHA256
42c3901384b0c075d72fbe7378b0d5073d22dac54aa9fee14177afcce5e44590

SHA512
eafaa7b4dc8b5d01b32d0e7925c54c197a34284c6e6ad0043d5de3ec19db942059b3e9196d07c8d18a84e7c4777cc77ed549acf7857d6bb35825e5d9f30de9c7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
66d65e58ee99cde82f3dd12cd67bd611

SHA1
259c9b111b55d0dd3160e4671b27300fe120c463

SHA256
5c6f2a9e3ffd486f67e865d09f1e886e7f76d48c5b2931ea4b4c3f5bed8a2d51

SHA512
8e29d839631658a9cf3c5bf452b7bf27eb39824643d1bb8b62c7d2766d49d51978e2e1b9debdf3fefb945d9f2597685664617605adbcdd4511c49b860ea627df

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5c6afbe7cbcdb9178db7e5c77549a851

SHA1
49e01cb70d331c351c92dd0baece1992b9a14370

SHA256
c39a41bf7211bb9e7e4e6586e094e66943218e7c2c2179921f69f1f84a0121c2

SHA512
77b37618e2f5f7d1ab31348e57d82d8d0715ea0b47c2c17b6acd1e2ad9a616a0ae6669a94195d5533ff159705583c17d32c298c5b7860f9b71fe5fc319fb5227

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
85b4e392c6beaf19617bf08d96b18ed9

SHA1
ad5c0730243d0a524a7ac1eeffcffbe14f68ba78

SHA256
625367c03af6d95972fceeff6a3bacfbd9bca8018ce15070b7e8f8ecce9a9516

SHA512
5b750a52b56454e3302794da30cd9fe9dac7fe87c6c6691cf0dae519583259e3c9b4745b71a601b8ba367aba968dc866cb3a2bc8d4f427bfd61ff715d3c2ef77

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6be263851dd76e2ee3e1d1c6b1f48aa0

SHA1
4dd057ab05f81b16593e739968fd864b70a2d29e

SHA256
658b9f30f4f4d55910df2a4eed6e444e45221864df9b016de89af4a522fc074a

SHA512
42b7724b78d72d3ac08844269974a38e90e583e7dbe721a3b77f90dd2b440350ff043f1e5d3ee0f4c8ff744e75419fde9ccbc0ca1177879014308c40cfc4521f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8dd17bba5e8c9221aab62586437428aa

SHA1
38b0a2fd5743127e3e0c3df5043f33c1905fd4d6

SHA256
4a8b118f95de709ef688629ff4a6dbd1542ed93519f78ae5e05d3e6a14772a2c

SHA512
93c360d922a5067b4eeb3c145f1016feeb6f84ce2fef62461189e07590cbe700e0f96e86397daa0fe63b75ddee6284a2c26a0528efabbd9529d1e9d6da82a7ed

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b2eefaf637e5917e9f6434c89974bfb7

SHA1
254e41d326e76a9a8d81077612611b7c19323d74

SHA256
e2b4e9e5b472f0712dc1cec25087ef5a2b7a5d2cd65db731e07b0bc64ed34363

SHA512
411ebf1674c3217e41a4bb503c5d175c4a28a55d62c91ad1458d19a8a7cddf29ffbe60602d34cba453ef3ba76c1613bbaaadc7881b1f08b5e90cedb6ba371f67

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
588558adbbe88e9b78a7bc58792d51c4

SHA1
4d9474a7ad515b7451ca49cda75a3229fa24222e

SHA256
461b8a9cce279b2275eb61fe613f161f782b6bbd80c68df542e839ad0df8895e

SHA512
2fead48cb2e61f0a125bca757c87256c53a5d042b1e6301f6c8b5689f06bda6102657a956d8aa6d3300c08ce9d4c59df48d5116cf68ad9a749397a20fcb03123

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
3a59c93418a3fca025faae3ace0d7df5

SHA1
2bdb37482d3886e967b7d96160cb2c6b7c5b70fb

SHA256
4bcb510a3dc85ccacc6795c1978d26ddaaa517051a07c4ebdef6aa3bdb775fee

SHA512
601ca5bb351ddc1ea35fe54c4f114702df84fd972b6034fddd345510c99c365890133beb5c5a7087bb2cb97faad15a7b96fc622f1d2ded64539c4d6988a94c33

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
83fc0e5540f6a4168997aa5021c33f25

SHA1
ab25eed75c0d3cb0c335266abd4d7d6ed10805b6

SHA256
e0f761fbf555c7034ef9f6083801f1dd634f04c947bd167774fef7137159df99

SHA512
ffd2e4a17a648e5d017c5f4601360402b1dd8b1d955a8004b3781f77221368b0d9d308c097b8e8fba38da7942e769e1d08f05b390332347e3b9427fc41d61339

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6e98ec42be5ce6c179ab375099709f78

SHA1
f18f55eb4f8d1e1b2f1f6fb3979187fb5a8976af

SHA256
9de9c2f476db77ca80ae132540b4502deb957168286f87b1662b119a7fce3ef9

SHA512
f7053b7d800497087a58173ed16d8e851ad4c73f653a5701be3bbd333e6305cd7c9fd57508514e5093c40cc6ce47900a8dae62aa2adc3497eef8410848ded617

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e6395f970d61a10df01c4d1e83273ccf

SHA1
cc32eec4c16c3fd0122ca1c082e56a440c6c3934

SHA256
4d8600fbc2bd72c6fbb3f281587f11a460c324b387f7a7daeff393eb2aa837f8

SHA512
4af492212dbdba88c7984fbc1d67f3e9dea4436842e58fa2a195980034857566f4a0f91e7c49893409dbe2e29566e036d71d1fe1cd7e993804a765ab7e943407

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
359f6800fd28aa318ac976dcc999ba0f

SHA1
489643aa8b0974d8b5777427bc0841aa90edc365

SHA256
efdeef22c3d64e2fa68af524434a152b64e9fff7e3cd9c7f162f960e04486fb5

SHA512
5c15f58846b1d7ace5dfcffcaec92dfbcd1cf460ec8d0881b96c9aea0cb69a242e552c622775f7c053b84fd4d7c68ce395c39922c99bcea8c819b097432cb505

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
bbdd8d43914394472c617187564ea950

SHA1
588415f3367b8a6137a996e73d1760c59a3595b9

SHA256
bbb1103db60f14d1036414c6742c979a853aa567cee3f38f3b79ca680081ec1e

SHA512
e8163ee40cf88512a458374c71fd9b7078254376a68ddd43918239c01c0df6f1787b7850ba7bb8f34f70165e2172d081a7bdfa0f8074e1ac84f74c0e7df76294

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
ae4d054699a3dfc9d08fa9c1d494c739

SHA1
2178cadbc2a813d5a2457d1e8431a0ba7d990cc6

SHA256
651f85c7dc552c4eefb4d622cffa417a770f9b532c8c9f4489f7098bd04eff93

SHA512
3d7745ce9d0cd848dd5cd00a8cf320c77927e8cddcc9faec2f553a2f261b675641070cda746f550806a4a5d2edb23fa85fa91f1d7e3332a46a0e1bf9c19e2e95

Download Submit
memory/316-446-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/316-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/732-57-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/732-51-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/732-61-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/732-364-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/756-12-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/756-18-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/756-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/756-455-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1112-275-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1556-84-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1556-74-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1556-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1556-80-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2164-271-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2252-298-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2420-97-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2420-91-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2420-260-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2512-37-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2512-45-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2512-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2512-587-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2624-270-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2792-279-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3208-154-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3328-25-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3328-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3328-0-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3328-9-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3340-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3340-595-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3340-257-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3340-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3576-269-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4152-259-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4176-261-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4176-101-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/4284-34-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4284-586-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4300-299-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4300-596-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4480-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4480-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4880-265-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4940-277-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5048-263-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5088-262-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5276-417-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5276-516-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5412-429-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5412-606-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5556-444-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5556-505-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5632-458-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5632-607-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download