cf77fbb750f3651984034435cc945be2de383882a7f6adc73ade32c62db73769

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 07:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
Size

5.5MB
MD5

6e0549b121112af98643bacb002f7dc7
SHA1

8cfd99c9eb13dd1e73cbcc784767b6aedee4f20f
SHA256

cf77fbb750f3651984034435cc945be2de383882a7f6adc73ade32c62db73769
SHA512

2731a4321592b772169debef699b0d74f64ac4a3293ef76048fcd1499558aafe826f38e263c331a6bce25d306d54ad398f544978d03765ce0f014a738afa9a2c
SSDEEP

98304:GAI5pAdVJn9tbnR1VgBVmo70uMhSBrkNq:GAsCh7XY/IoQ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 17 IoCs

pid	Process
3432	alg.exe
4228	DiagnosticsHub.StandardCollector.Service.exe
1800	fxssvc.exe
3160	elevation_service.exe
952	elevation_service.exe
4636	msdtc.exe
2776	PerceptionSimulationService.exe
4544	SensorDataService.exe
4272	spectrum.exe
4996	TieringEngineService.exe
5204	vds.exe
5480	wbengine.exe
5732	SearchIndexer.exe
5976	chrmstp.exe
5292	chrmstp.exe
5504	chrmstp.exe
6024	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2f2fafe6c43e60d1.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{2E67EA64-8D74-4AAD-B11D-5C46D99A6F7D}\chrome_installer.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4a6dfaaf892da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000edeec3a9f892da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c00f6a9f892da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec1209aaf892da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
3940	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
6512	chrome.exe
6512	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4452	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
Token: SeAuditPrivilege	1800	fxssvc.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeRestorePrivilege	4996	TieringEngineService.exe
Token: SeManageVolumePrivilege	4996	TieringEngineService.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5036	AgentService.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeBackupPrivilege	5436	vssvc.exe
Token: SeRestorePrivilege	5436	vssvc.exe
Token: SeAuditPrivilege	5436	vssvc.exe
Token: SeBackupPrivilege	5480	wbengine.exe
Token: SeRestorePrivilege	5480	wbengine.exe
Token: SeSecurityPrivilege	5480	wbengine.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: 33	5732	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5732	SearchIndexer.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
5504	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 3940	4452	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe	84
PID 4452 wrote to memory of 3940	4452	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe	84
PID 4452 wrote to memory of 4352	4452	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe	86
PID 4452 wrote to memory of 4352	4452	2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe	86
PID 4352 wrote to memory of 2208	4352	chrome.exe	87
PID 4352 wrote to memory of 2208	4352	chrome.exe	87
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4836	4352	chrome.exe	92
PID 4352 wrote to memory of 4476	4352	chrome.exe	93
PID 4352 wrote to memory of 4476	4352	chrome.exe	93
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94
PID 4352 wrote to memory of 4356	4352	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Local\Temp\2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-20_6e0549b121112af98643bacb002f7dc7_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa21caab58,0x7ffa21caab68,0x7ffa21caab78
    3⤵
    PID:2208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1916,i,12875592530718528242,6550362505918495671,131072 /prefetch:2
    3⤵
    PID:4836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1916,i,12875592530718528242,6550362505918495671,131072 /prefetch:8
    3⤵
    PID:4476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2068 --field-trial-handle=1916,i,12875592530718528242,6550362505918495671,131072 /prefetch:8
    3⤵
    PID:4356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1916,i,12875592530718528242,6550362505918495671,131072 /prefetch:1
    3⤵
    PID:4380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1916,i,12875592530718528242,6550362505918495671,131072 /prefetch:1
    3⤵
    PID:4892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4200 --field-trial-handle=1916,i,12875592530718528242,6550362505918495671,131072 /prefetch:1
    3⤵
    PID:2168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3592 --field-trial-handle=1916,i,12875592530718528242,6550362505918495671,131072 /prefetch:8
    3⤵
    PID:1280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 --field-trial-handle=1916,i,12875592530718528242,6550362505918495671,131072 /prefetch:8
    3⤵
    PID:3116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4728 --field-trial-handle=1916,i,12875592530718528242,6550362505918495671,131072 /prefetch:8
    3⤵
    PID:212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4136 --field-trial-handle=1916,i,12875592530718528242,6550362505918495671,131072 /prefetch:8
    3⤵
    PID:3012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5156 --field-trial-handle=1916,i,12875592530718528242,6550362505918495671,131072 /prefetch:8
    3⤵
    PID:1428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 --field-trial-handle=1916,i,12875592530718528242,6550362505918495671,131072 /prefetch:8
    3⤵
    PID:5864
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5976
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5292
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5504
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x298,0x290,0x294,0x28c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4120 --field-trial-handle=1916,i,12875592530718528242,6550362505918495671,131072 /prefetch:8
    3⤵
    PID:5552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4164 --field-trial-handle=1916,i,12875592530718528242,6550362505918495671,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6512

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3432

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4124

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:952

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:672

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4636

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:1828

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:940

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:4408

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4544

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:5040

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4272

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
PID:4412

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3956

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5436

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5480

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5644

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5732
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6252
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
863bce99369acf47c3cc143d7c0cfc86

SHA1
f4c836b9f71bd71c8dcf480dbb01d6ef1d8b69fb

SHA256
cbf258095f6136787bcae87f6b79a1b6b9391e56333cfba3ec8398d6cce662c8

SHA512
02049a0a4bd5e1d206b07aaff1625ce1c0a7f63031e869b96761681da074f312b8e4635124bc41a35e222aaef393e3f6c38c1e3d22e98349b91d0ce5adf7d47c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c261b3079e8086cfe47550f2826bef44

SHA1
2dd0f52a21395105a4d66225585dde85c26f5586

SHA256
5d271a32ae19f20ec8b26091f96361bb70de40b515516648d43c4a8960ee1487

SHA512
5331d839525ff185f704181d6d0c04ddd0bd2bb507da8c7ea53a37401346d62fb2249491489ba5d39530e15c9cd4402bfbff213ec52a93635e85cd308a52c326

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
5820bfc30dac05816377bc0887a5a3e4

SHA1
05455e5b4c77578be19f65c7228193dcd098b06c

SHA256
6a79e22d4960c038b65c5f13d1cdb61eec9e42c60181ef23070248cd3fb130f7

SHA512
a3723bf3cbde4a89d501fea1796f85cb21594ce7574819060021736050d5485c02d60567f7f7b22543871675b07d02afa61dd70d5af074f3db092ba6da1f3b9f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2c5fcf6a48cfd18ff402d1d10ce1b90b

SHA1
a9701e9ae4dd3bb9bd0e39a2b408da202b61f001

SHA256
893addda11a3e9dc118c0eb0257e5ae281c4fb0b436a406a1ed9db09698eece4

SHA512
45954d9975343b2b5257d59d299dcdc99892a9d59da0e266ffb93642fea929b00e88e21daa644f2040c8378025fd9c68f2a57077adf733d7b6c146e53328b825

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
6af6e096caea77783c4f4b50527943ab

SHA1
b08691997f0aacc118cb8b5dc85eb1012a67f4d3

SHA256
f53b4c662033b86cf016f36c21ac95f83fa20d7d8378ffd610132ad693ef4863

SHA512
a0bd67b634e22036172eaa146e49176a602d39f49dca174453736bb51c7ea6d4ed5f023c74cf2d83b407704d16b6ef61f1b326437f1a93e5b1fedc35df860489

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
969194d56ec74ae29847c3a13be46207

SHA1
9d4f83125d59cc278ca3c82224eef98f16f54830

SHA256
882514a5a8f02c227a1698c65ccf574cbfffcd60a4c23a1785b72d7ffdacd163

SHA512
da67a8e9c91067d8d875466bd35f3a8bc94fe187dd5efe7a79a0ece4e3a0912b89341433043c34ba860d09271da969e8dd994f1dd7d534ddc184d3c67b23faa2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5c2c3b38628ba7b5c55397750265b184

SHA1
242ce33a7155eeee2879179573d7e70d750613c1

SHA256
545c603cd1706636b15b2cd37b26ac2b05744a7c50b6ce800669e30b1b4cf60a

SHA512
1cd2cd6eb37ba51e82ccbe2eca363e0fe32828797b61b23a7c368febb668fa8abc00b88bdfd6c87a951f086073c4110ca90ddafc36872e02e4b24baaf96a2f7c

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\2485cb38-f447-4f28-ba1c-3f9a254d811d.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
f62493e5d65476dd7c79f54ce8830144

SHA1
81709a4cfec1d7a4cfcfb186ba2daf1fbb7e8439

SHA256
b8eed67a4887dab497bb9e530c7fdb0061a331c7f111b8bb95fe47dfbbd26185

SHA512
88535f250bdf9357b6197f8ad2838cf6b82db997134f497d110bda6936d9ec2c22cee16915bf1e9532940bbd1abfc71991b18763d0729e6988a694188005ec68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
a86be22a2a47aa38c23495f45c5148aa

SHA1
bca38dda9407a61244d5a2aa08524cf4b4393026

SHA256
1322b0b5af2e880d7b77fae3a5fae5a78f99088beee137fda1843b211ad9809c

SHA512
19c2eb154f813a24a62553d039781ceac7bbe4be79445e6de362a8e4ebf589ad3df05dd821ceb9e4a0535ada1ecc57aa223b03735e3be0836ba660e2fd74f6eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
d2e10efcb501520fade9a076e1f69b21

SHA1
ac28b2ffbb456eca30da36ec9de7f86b129e0712

SHA256
52426788cdbd0b5a9baf2ce2666a3f6b7d3cf843791c81907f19cdb522df696e

SHA512
b75fd2c78d99ec777ac46ebf404976f3ea04bb7859a39dfc6d61b477a2c41c2b17e1fd960e962e0fe5fcbab4be3031fa8c928ca840f2cc1108e995501fe84de3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
6ecb45c44f01dec04f37720ead7c793f

SHA1
9c37021402a670653b7b2397a6d7d2845fe9a094

SHA256
04de41cb88c7006ba38597a815eb1eb2988602ae2087a39e67e2a1e40afa4af9

SHA512
9ac1041215dc0d0d8d08b84ba0f842d3c04699597cb0bce785d2c6611f3170f0ca4c0416a0d008b94f114235e8eb1f24d3ee78654997f0d0033aed01f674f3ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
3430127ea15c11f0d6725b6b49c109f1

SHA1
64bfc8c5feffea3233e4bfef7c05fc08bddc437b

SHA256
48b86c8e1d10e7122bff50eceb81631c87c5894accaa5f2a29849c785be51433

SHA512
6cfc668d0e0d2dd3c4a0aaac38128c6e809ba11399acd0c090ede808d6ad25e330dfe420b46010fa2ad6370269bad572ac0598ec35ba1c77ebc1a430dda4dc34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
b53b8e0b63d641e92677f4064c5594e1

SHA1
e55e73cf026787ca3a2992422aa5ee04264e59d4

SHA256
799d731cda735964458fac74b8960762860d54ea8d4f1a06fc06b2d198d74422

SHA512
11b424fd02841712fb1ccd5587d285fcd54c63ea48cee5e5bf496964be024abd03707005eb6148aa7e48a962d5c6444c1aa7b1dbcdbcbba5572077984ac3a7f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
c5c241eed48470ddbda1e9d34b115d2d

SHA1
57915f4a49ca319115cdb138ab8997e51f1b0775

SHA256
d8254c7a7208d5c2ede253ae350065bdc2a54d5303e4e32c7730a2cdcedb6ab9

SHA512
272e9b68b2e7f0b44a94a4f150cee1fa9a661fdd632b5dce569b7b9238221a7ee4ac33e1040dcb4ca5168100641530612c1c11b3c56339bce336c8f308ee7042

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
b56ab56c95df71c48d0535fc18e8f764

SHA1
197cc57f73d70106c4c9247fb588baab33eb6989

SHA256
02e1a1df835835c41a7ac745f2dcac555b86dba5d52befde185b41e1d4a3c41a

SHA512
fe7dd65c5ab7a2379be559b9255ad4c27f33ebef159c7355157961d0c9b046fdcd1df97c6c50a824eba2fcd643fbddb96812d6dc108f82f3b975c59a5cc7c01a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
d2e4779f416ee6b1d3f24b0d9b49ef90

SHA1
912f98cb94412027aca779b88b20e8f86fa7019f

SHA256
61342857c33ad6cbb23b1a14d1a4598f6f9f036c7c0ad90d9bcefdad404b6881

SHA512
54bb0274fa5020d6099ac3abcad301ac78bafd393af75478bd90b314a1eb665e3a2a91e8acd43cc834be0f7f57934546f8637cd00c8b2b2601778c137eecf6c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
a9e46dfc0cb8a1c82c569ae8958bd233

SHA1
28dddf6cf1d879a0a8ca40a12ebbe0fce944cb14

SHA256
02fbe2525a977ab821f4b5744a1cfbaa78a8f4b35b8c5f538fa07fef9803b253

SHA512
17f6bdcea9f24eff84ce91e39528f8416acc3f4582b5389a1efbc1f1f233032a75ee47d39bb459e1f2d25653f24a4e9f53c84310f6bf3ea50ac68b9f04eb7286

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe

Filesize
1.4MB

MD5
a47124b0afa4c59583d0687f3425e7b0

SHA1
b476e8a413ffdd6a46937db9525c2848f768cd05

SHA256
94d7fead59b4ba1bad60ae5de7683c5ec108968d8e6c7accd9c367ffc5b1bd33

SHA512
0985fdfa87377c529b001d853780502207a04cb996c818fa02eae3cd882946d8a784e118b9173c2017f9d3a7c82bd581a86d5c551d7ae483fd42b45afe53a4fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstack.exe

Filesize
1.4MB

MD5
0fc7d3280ca26e24345ae7e2f82de25f

SHA1
3d040f43604b31c232f4d3f8c28896fc5635acad

SHA256
218655cff1c69315f24cd7b61877eb4e08104165423854c42cdf33317f49ba65

SHA512
b221f1e56f3cb15dc677de260b092de92973a9f176f0b30b77133ecd14c3852b843241ce1cbf22c57f56fd837f3cc338f47ffb2c1bea5f8dd49b4f0ca116a257

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstat.exe

Filesize
1.4MB

MD5
0e0c243948ba502dc7024a126fc29267

SHA1
5ed60191ddf1b91e476b07c6a9aa61a6e0cfea81

SHA256
5ef72b4de53d4a3687d87501da49cdead7ff4c8120adfe2a9021c659f139cf00

SHA512
267578ce2bcee74bca12acb851c592afd666a8a5a3b329ceaa2f47cf0398fe82aa939854b56495a451665ebc5a1f6bd00a5e9456aec299a9642ad7d338938bd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\keytool.exe

Filesize
1.4MB

MD5
e9624ef75daff14b319812ea0f09872d

SHA1
e85ee79d7f990f8d936f6e04e8a564dcc88b4b54

SHA256
cd59bc5e10af8807ac6c944b7971f8fd779872a772ce6c1904c5d9b1fe32d06e

SHA512
55a98e81104c9a054780f257b7604ef77ac9aabf3eaa43b9c9b35c65f8e424b3744933b9a4dd1e28d7120c36626dc82e1a77b11bea641f4bb45e3585db8d207a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\klist.exe

Filesize
1.4MB

MD5
ebd92811f069bf76efe85e2af27e70b9

SHA1
5d460927c844a15bf06d798808a0097e7d328bcc

SHA256
dc8666bdf593d899c631e312ebff0b02f30a9e36457c03d764c11072c3a03392

SHA512
d83b1d6c5df3904d7ac5b6a477ba7ba2d4e53494a379604ef3b83352a2154c35ffd0d71f6cd1cb937712e053040979808af3a473a087742b0f0d1be18f536d06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe

Filesize
1.4MB

MD5
f8eddf0ef1bd089d1cb41f806a940214

SHA1
468849e33ababfb30d765ddb1bafc94e12a6980b

SHA256
a1ad2230f4f0ddcafb481953107582b95ef97b784903c89e800420cab7abea6d

SHA512
34890d9679fa8c208156d7006091ee377ae5b567e5c19c3c51f17af9ed947477a01cdc1711d2206072de306dc02a74f7e3be416d4903f4750c1e8ded3e9eff7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\pack200.exe

Filesize
1.4MB

MD5
aba0b2ab0d7e14049fae80bfc9ed23c1

SHA1
bb32c41a4df14d7cd98b1e8e5ebe9b481dfc1e76

SHA256
6ae8b71662e298fc52eba40edeb89d6c93b7375c85ecff6612de71574e6c263d

SHA512
03883a4468d2dfcddbdcdcfe4430ebeacf534359c2703cabb66cdfb9846140accc6f6bee3b36522ae3c9c566d354fbe3034a22a90fd0bb73ba467767b51a57a3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
fe5fe47b25548bf17edbe866a071fd74

SHA1
0d918bdebc762cf8c0769bc5eabcd701054ceaa4

SHA256
ac52d5ce84e43d8897a315f00f38de0fb745ff4e488c5b68c8a7d0e4b4730ff9

SHA512
0f99937c6419adf234c799a58b48d8c3df41ae45c605fd0cf234f81f699d0f9864ddfcfadb091b049b2a883d62e01e17bc5630c429056b10f67adf53c98bfc18

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
0b38080e5496989dbbba4ee78b7553d7

SHA1
5e46fa17dc383a9943a76dd27292c6f7cc9f5a97

SHA256
2a91215fa022e88cb312cac3126a8958ce83cd9bec14f3e894a5ff13725e2a67

SHA512
de0a138107fe64041f56029afff2b1564ffccc0a552eafab88db3d6a5c3b0693e11746f1dad255e8d73cbb7fcf9562879f186f2d1f6e0e95d2bbb439ab291f2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
273d2cbce45caf2ede717d027049f931

SHA1
4d3880a875edaa72dd9cf1b44108c5748cb3dca2

SHA256
37b7d501862fc5714342a23f53d38d130e4f685f0c7302c4cf9df83e20d07154

SHA512
c2dfff0f1d845d68cac6758161653cad51fc47644cb4231bd92dbf4a140b50876312b254f9381a5b8c42723d00e123956706e94c2c41354d36c577c79de8f5ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2203fca9-3cf4-42f3-82f7-8ad49db93248.tmp

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7c8463ce7dc6faf300335cead48e099e

SHA1
78ed321e30d49d4d8a77d412ca8287b5ac52dd38

SHA256
f6c13f117f2d636b0a1d695349b2b67a75a88800c396dcbf0a6bd7c23b5bf344

SHA512
793ac3ff3ea24f4d04868bb9dd5a67b68a555901fc9a824620f563aeb8ba4870dc67361c29f1df2f54837670f0d8857ab6c021ad181c5988241634205256916b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9998b8aff411f0c36ba7c5733f03bb77

SHA1
7cb034f66bcef03498c5774f059a2ab756c1b255

SHA256
d66dc931673e87a2a25ebaf4567ed77e00437667d54a5d702108e385eccde99c

SHA512
1eee133cfa089e2100979b4df2f7ff7fdee619854955eb7d7b60e5eaf071f755942e9448d067e89882114e06af1dd05385cb5b9c45bf1ed067fb9e662c76b5b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b91b9ed78e49b125efa423cf6b3773b0

SHA1
e1a68c48d58f37348f2962eb186a1d8fcc04d7e8

SHA256
f58dc77e174e87efa7d11871fc481732720b16a9fdf9bd9ba9bf227c5a4a8bad

SHA512
3e91c5c197a19a838976efe5a2de6e39e0cedea1ec282d8c58ae12165223fe52ba0e88956a856024a239994dd253ade8c0a689d9483507f29ba322738b4a0fb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
06f366378ccde3438442a6a7b1bbd34d

SHA1
adb5644d2d21f277327682f8d93a7040f021ba82

SHA256
992dbc238ead48f390de7f81304afaf29f7b7272c0cf8f74e50c174808196059

SHA512
85f27a7073054ebe0adc9ad2731590cf84e19594c1045d1051802f36e0893e298e8fa5e3fb586e595875333157df66bf66660e6b5589634f04ac7fb745ed87ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576419.TMP

Filesize
2KB

MD5
30b8f508502e1051f3ee30171879ef7f

SHA1
1fb298e045304f43b89e5fb50effb26aefd3220c

SHA256
b46f199a934c112c4c6c76e3ad0cd1337f73f6c878b53a58681c7c2837601816

SHA512
b653622f44b18004d7e9e31679c3f8039ec14c38dbcf766736c1990a0b50a1faa83b2374d63e1daadd6b0a49829478940be397228d6eae8ae9b2ea3084ea3546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
c8a042cde6910d139073e23cbb2b7e30

SHA1
debfdc15de9be90228b4bc4b53b3cf7a5be36219

SHA256
41dfd8cab71cba57670ee5725c2f58d413714d5f2220fe576c04173252322ec8

SHA512
0b4780837d60faf8e910ac8ab9a9482c2a839b669c0aab4bb33167bb705661ad197e2b77ab9032d0cf8683a42e0678516448f8989b966e3c047c3e17076f14be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
75f434d5dc52b88fcff01cc35ca6dc92

SHA1
58eb5dd3f8687aecb3f242fb709e2c4e4fc30bc8

SHA256
44ecbbbbba48128f473e65f6d7435a02dba30e3a69365744b8ea442eb1ae2923

SHA512
4242d414181b866a3164528ee356c8753b0f192188860441eee1776171436114ea64a2a13b56cf946c6166bf65631cacb0527cec3327e4d67517002ce63f723f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
290ee16bacd7c8863e3bcb748bc15f94

SHA1
1ada7c2f077c54f7f6fa45aa2ff725f3ba57bad7

SHA256
02690d2be3d09da037898356e62b2bc3a2ed82a7c9b6586b6bfd04ea9a5c2eb9

SHA512
8ace039e53eccf6b2188cb79d3bd65cec56f89faaff1163f11255da61e47503f82eaa1673f700f596cc69710656e6cd5294de2d86ca0de44359900d35a81ee77

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
bda23eed3e6e575b268b86edb6349553

SHA1
071e9fc679635c74473433e749468179829dd141

SHA256
7b9abb45a97ea4bf48d03fd321f49dd6d4a18c7a94557a4d1ca1c420d08c5590

SHA512
100dbaba95f59c1e465d30b46d2b425dcb0cbdced795ea707fc151fa147028ba942967a2be90205c9e8d30a2ad58b685c360b2da28f1ded527924a811447b448

Download Submit
C:\Users\Admin\AppData\Roaming\2f2fafe6c43e60d1.bin

Filesize
12KB

MD5
74cf90154cd9b3459ebed5204cbadc57

SHA1
563fabbe897d06d57b99381b486abe39d85974c1

SHA256
9c982e254ec94639ed8a01d9aa6f4174257e734cb15c6ccadbbce17e1905a43b

SHA512
ecdab74a5e35f1137c5e0a0ad3d2348a0b5ec6f4dbb9fa6f1eef7b9ee43db605b2e7082e15448f52124c3991425fee98265ed33e2f78e91e595171f5fd2a0c34

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
d938711eb4f99fdd599b25d6e708400c

SHA1
e11d8ef2eb7db790764ccf966a976f38dffe5b4f

SHA256
05afc526a3e52b1a991486914f96229daf5b22e9b07f84c30830c7667c5649bb

SHA512
750765ff887771eef182badf15e7580bab971af981404542ccb4f626ee1a10fbf0bdc0ff5dc5f1fc771c01c0f7f7a43213b5b59722f3aad1fefc9a7ab6ce3c83

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e89aed4a252182e3958f72648664f85a

SHA1
7fab07c2bcdd7c98cc34883b78dd8b6fdcdbe003

SHA256
5a1865421095db5ef30c5aac9b2d8bed9e6fd9d2bfab226352e758b0c7f2e3d4

SHA512
21fb9e0b0ab2a636c466b8fda71ccf81a7dfbea3504ab8c05eee8e294958f6241b4164a0ae170fcbd471a54383c20c39f64d4f26953b717475d92bf58492de70

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
1c246a6efcd8e2bf13847260f6ea1f6a

SHA1
715983b45301a391b2966230a778a09a75fba1d7

SHA256
88c2f52c617719c8b32e8260156046a11570599929181211e065c8694400a83e

SHA512
f3da5fce5c6bd7023613fba5255c0e5ff9e664dfb9a3a2c15f170761bfac836e8cda3d387bc160bb6716488a39d39133c65f7cc975ef8d28f8fa6bfc4ccca903

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
28acbd6195f99ddd53393abfbdebcc73

SHA1
8c2aaf91802dbe53bd9c49719ebba3efeb7204ab

SHA256
6a84b6e45222db3b401252507744a2545ad1a041a9055809b7fc19792d05661d

SHA512
92ddcc36865b3bc8bc03e934cc93942b318131a2fb1fceebd6eb4f21acffcbbc0f796aaf09c94a8fe5ff4eabca08d70d8208933f12b7f974eab9daa6f4ac61e3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8d11106ab8403f07e52b3d1059aef453

SHA1
55a371570c858e0e1cb12107858e65194faa84ef

SHA256
1f5dbb0710c017f69e65d217a93be0c40c6533d1e9c7400c6b6da13b7c91559b

SHA512
2f2d1f3503d50e2eb62f2bc61415ba8e5c7981d8688cd0e419dbdda42e84360fce91f25381724d36c09086a69c7c6497d6e084a815687379af5716f01bfd05e2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0b84f85ae0e9d5e8bf4b839c1f226df9

SHA1
8d6899dc681ba2e1c52648849b90c225afc7d221

SHA256
1a9e836f183f714b56ccc20663bbf62fb4cf26a609b3bba756e0aa26ffd5979a

SHA512
9b1db8185b51d4f3887295ea95e679708b73997879993ac251c63c8dcf882fdc0c3e5c138fe6fe8928274252657ba420fef6d3c201c670596c8ad72d6d3b3739

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
fe692e6ac5230d16738895a87fbd2bc3

SHA1
62e96fe69285e12d7e9de22d9d1077b92d776124

SHA256
4a1d690668fe091eec060c829ccf570e946bd5286cfcfc1d3e9ba69c169659e9

SHA512
90ce19852f398afb2d59e00cddab5405ec61d3e7eaf0ea7a3f2b5aea6e833ed97475f5d34afd8c094ea622610fb4f9711d03c353392b5def4e73ebdbaf2956b7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
6cfebacde0e1ee509446d73db6c19853

SHA1
ef843e46a7e59cb13107b6cabdf425aa24f9d7f7

SHA256
8390b3ead82893aa8d4d2435969b902bfb9a2cc29d5bbd2be9b4fb5b48349843

SHA512
e9beaa0c2bd80cbc1d6ea4999ac99635f3052c240caca90c129749db1ce169280b7633021bb9238a4b3fcc57d293d22aa11fade03189d4d2899572332d4fb278

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
dcf01a6974c725c9d67053762a54ae84

SHA1
225c0715cce752ae2d82820dd2cf98d28460d417

SHA256
3e1bcc5ec7d6a1f495580026531b02b2d612da1501d9a7b22df11b84b0c6ca85

SHA512
9c67c4e3a52282be3a2f75bd399c8bb128209b9c2e662ba0e7e2073bbf2987f3834c0f151f3104f1d3c961003ce5a3f848d526ca9714c553c6d803496c4ee7f0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5261233c9f2a61285116c21a4aa75b00

SHA1
baeaff83bb48ba041e8116f17098a616e40036d3

SHA256
788126e5f98df51c97dbe8c494e0e26d7853f8535c77b7ee137b272ddcbf2492

SHA512
a9404a98127195f6dc6c1f81a3bf6237d83c34babff40ec1b3f4cd0ea5100ca12a91bd819b11370df94121b140fc12a6500eb72d25606507abb2cfc4927dc2cb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ad99690721c625e75d17f9f5435c159b

SHA1
ab17593bf65210f48a18fea845836f930d9e1bc6

SHA256
ae987304b33696fff1147a10f0ebd54c5b11ef7418561361a8ff5dc7ddf40276

SHA512
84d7175747cde0aa0d2c3957003747ded97c0134f1d3e393cba73d9babd14f104c0d653c399e3adbe1967a9173d522de4c0f3e18d69eba243f24b852357e7cbd

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
fe544d4eeb8ee141ec5eac7e627548b0

SHA1
95a1ff175753393316da7a3bbf40acfb9f1803e8

SHA256
b33681d42883c15838f67f4bfdd2956a60de42459a8018d8491fad00c9ee4e79

SHA512
e5fb4a29c56cb9bdd45d6db608d3051ed0d04f787971b9805e5806cacb96751085e6fcd165b9790173a7fc89901cabc3d21c104236d02ad6917c6997173be331

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8695f9beb945dbc32713a4b4589af786

SHA1
c8b782d26bd6f9b3d2dcb14ba4b04e1234405332

SHA256
a9646311288b96698b145cad4c0c9a6c9c783511b2f56f16deaf4e91b6901cdd

SHA512
efa0ffaf40ecb98605e1aa33ea385bfc6aa72f6bddb470d8f09e9c92889428e7eb12e09a3aa0d8812e996b813b25c63f535d1b14ba1a615e77fb6010fb6d7bf0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
69316853c5575a36f43acdfb1079c198

SHA1
a70fdfc6e6214088777900d109a00208042b0c26

SHA256
725b3aa30a8bc7d013548db01e020d24e4ee611723467ca0d5c447f68decf794

SHA512
fa2a1f6e11bfdf96602c564fd27464c445b93a6f8246c16167732ea37efae8db9550c71ce99c16f213c027d3d7982a8966adbe0fc3a8dbc3327177df090043f0

Download Submit
memory/672-110-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/672-138-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/672-135-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/672-122-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/672-113-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/940-166-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/952-105-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/952-101-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/952-204-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1800-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1800-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1800-56-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1800-93-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1800-65-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1828-144-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1828-157-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1828-233-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/2776-155-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2776-237-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2776-172-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/3160-98-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3160-77-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3160-72-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3160-91-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3160-102-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3432-33-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3432-18-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3432-19-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3432-111-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3940-24-0x00000000021C0000-0x0000000002220000-memory.dmp

Filesize
384KB

Download
memory/3940-14-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3940-12-0x00000000021C0000-0x0000000002220000-memory.dmp

Filesize
384KB

Download
memory/3940-104-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4228-45-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4228-152-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4228-51-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4228-44-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4272-209-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4272-279-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4272-221-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4408-246-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/4408-264-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4408-181-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4408-170-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/4412-234-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4412-226-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/4412-296-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/4452-8-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4452-7-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4452-29-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4452-34-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4452-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4452-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4544-270-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4544-179-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4544-249-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4544-186-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4636-124-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4636-126-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4636-140-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4636-222-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4996-238-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/4996-247-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4996-304-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/5036-267-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/5036-251-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5036-277-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/5036-275-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5040-219-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5040-278-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/5040-207-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/5204-272-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/5204-258-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5436-299-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5436-281-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5480-301-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5480-285-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5644-307-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/5644-317-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5732-315-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5732-324-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download