67db56f8117e92b8e3f0fd0665e170abe12a7b54223529f3e356d37feb87c9e6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
Size

5.5MB
MD5

61af346ee89435cb5516086e54fc5667
SHA1

27c20efec03db61a03561953cda4e2025adac77a
SHA256

67db56f8117e92b8e3f0fd0665e170abe12a7b54223529f3e356d37feb87c9e6
SHA512

ba7c4ae3882417d3c7d0021965dcfcf8ce0bd1f772bd8d4f5987974bf2255cebf288aadb7e10d90a9689bf80d66bf944f16e7b2b76dc639b112795397f38b29a
SSDEEP

49152:2EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfU:MAI5pAdVJn9tbnR1VgBVmcOkf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4824	alg.exe
1104	DiagnosticsHub.StandardCollector.Service.exe
3420	fxssvc.exe
408	elevation_service.exe
2096	elevation_service.exe
2692	maintenanceservice.exe
3276	msdtc.exe
4088	OSE.EXE
2684	PerceptionSimulationService.exe
3164	perfhost.exe
4608	locator.exe
2948	SensorDataService.exe
2232	snmptrap.exe
1116	spectrum.exe
2124	ssh-agent.exe
2484	TieringEngineService.exe
3592	AgentService.exe
4100	vds.exe
1624	vssvc.exe
4588	wbengine.exe
4388	WmiApSrv.exe
3596	SearchIndexer.exe
5952	chrmstp.exe
6060	chrmstp.exe
5140	chrmstp.exe
5372	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d6f945cdb4b1389a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exechrome.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007eda93e8ffadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b0bd8eaffadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba2f1debffadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000556fbbeaffadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f47f0cebffadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2a7f4eaffadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000963d96e8ffadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bce2efeaffadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028975eeaffadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088c69fe8ffadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009735a1eaffadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

chrome.exe2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exeDiagnosticsHub.StandardCollector.Service.exechrome.exe

pid	process
1704	chrome.exe
1704	chrome.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
1104	DiagnosticsHub.StandardCollector.Service.exe
1104	DiagnosticsHub.StandardCollector.Service.exe
1104	DiagnosticsHub.StandardCollector.Service.exe
1104	DiagnosticsHub.StandardCollector.Service.exe
1104	DiagnosticsHub.StandardCollector.Service.exe
1104	DiagnosticsHub.StandardCollector.Service.exe
1104	DiagnosticsHub.StandardCollector.Service.exe
6600	chrome.exe
6600	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1704 chrome.exe
1704 chrome.exe
1704 chrome.exe

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2584	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
Token: SeTakeOwnershipPrivilege	3956	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
Token: SeAuditPrivilege	3420	fxssvc.exe
Token: SeRestorePrivilege	2484	TieringEngineService.exe
Token: SeManageVolumePrivilege	2484	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3592	AgentService.exe
Token: SeBackupPrivilege	1624	vssvc.exe
Token: SeRestorePrivilege	1624	vssvc.exe
Token: SeAuditPrivilege	1624	vssvc.exe
Token: SeBackupPrivilege	4588	wbengine.exe
Token: SeRestorePrivilege	4588	wbengine.exe
Token: SeSecurityPrivilege	4588	wbengine.exe
Token: 33	3596	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3596	SearchIndexer.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe
Token: SeShutdownPrivilege	1704	chrome.exe
Token: SeCreatePagefilePrivilege	1704	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

1704 chrome.exe
1704 chrome.exe
1704 chrome.exe
5140 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exechrome.exe

description	pid	process	target process
PID 2584 wrote to memory of 3956	2584	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
PID 2584 wrote to memory of 3956	2584	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
PID 2584 wrote to memory of 1704	2584	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe	chrome.exe
PID 2584 wrote to memory of 1704	2584	2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe	chrome.exe
PID 1704 wrote to memory of 2980	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2980	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2280	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2180	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 2180	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe
PID 1704 wrote to memory of 3800	1704	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-24_61af346ee89435cb5516086e54fc5667_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbaebcab58,0x7ffbaebcab68,0x7ffbaebcab78
    3⤵
    PID:2980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1900,i,16366807445978895149,9077141887875728228,131072 /prefetch:2
    3⤵
    PID:2280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1900,i,16366807445978895149,9077141887875728228,131072 /prefetch:8
    3⤵
    PID:2180
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1900,i,16366807445978895149,9077141887875728228,131072 /prefetch:8
    3⤵
    PID:3800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1900,i,16366807445978895149,9077141887875728228,131072 /prefetch:1
    3⤵
    PID:456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1900,i,16366807445978895149,9077141887875728228,131072 /prefetch:1
    3⤵
    PID:4728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1900,i,16366807445978895149,9077141887875728228,131072 /prefetch:1
    3⤵
    PID:5180
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4384 --field-trial-handle=1900,i,16366807445978895149,9077141887875728228,131072 /prefetch:8
    3⤵
    PID:5240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1900,i,16366807445978895149,9077141887875728228,131072 /prefetch:8
    3⤵
    PID:5248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4868 --field-trial-handle=1900,i,16366807445978895149,9077141887875728228,131072 /prefetch:8
    3⤵
    PID:5816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1900,i,16366807445978895149,9077141887875728228,131072 /prefetch:8
    3⤵
    PID:5872
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5952
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6060
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5140
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1900,i,16366807445978895149,9077141887875728228,131072 /prefetch:8
    3⤵
    PID:5104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2680 --field-trial-handle=1900,i,16366807445978895149,9077141887875728228,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6600

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2340

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2096

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3276

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2684

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4608

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2948

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2232

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1116

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1528

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3596
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5612
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8e8c3d9073d37e87acb92abb77d0833e

SHA1
23fe90068e121391f6284ed7f4ea6631cc93a069

SHA256
01b528a65e6acc1a0a623d58cbb93de9257042c287261b1ff572793fddf7cf77

SHA512
83465c6d404f6d12eecbc90b2d079b230e536b68340d39f57799088e39e316ed3deaa170d8e01e1d296004d6606ec2c79e6f38ec3160abb7766c3f094793b855

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
0fd977d1b702e0abc5b56a9807f75306

SHA1
8ae9bf968ddcd028067314a1b4666acf81edcef2

SHA256
ab34183231a18a51e9198d96629f6a3b44cac180912e381ef7536f7c2e5716dc

SHA512
71c593eea750e7ffed800fa925ae199eaba30d9f789562d01fca4da4cf54c9493f90458111ca78cf6a4bda6f45d26ecf6d24fdde20fc596be0503e79c0a51a41

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4bda45dd76932f937e79ca695e5b4845

SHA1
3d94fe033f7d7846443a7dda8c76d702b6977812

SHA256
2b11509d6b28bfc2bbd14afc9644f7fff933d022b83fa63699a0023343de3308

SHA512
a8fabe9f092326b27c44b2ef23616aedf837a7dc9dfb61d34f8624f255387b91520c944c2585315dbd61c3939ed737f4ef290bb9813e051b14c87fa42b0ab250

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
693316fdda183c850ab26ec26f734c8f

SHA1
ff13f07ccd01209db94896ed56600b7710368c8b

SHA256
9560d56088b6313f50856b46c6f38344d736edbfb683ec468a33836e2b968873

SHA512
3b7a92f1b3eb0d01e6fbd3523bcfaf1458fc6d349a9ceacec9a2f0b410e4a2404f3bca7cf98bce2668eb1c2e1e51d1fbb5a869111592ecff9699e5d8c968fbc0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0e448da8c4bb3e817056385944e88e6d

SHA1
185ef437d035b883ac8aa6ad556fe4ff36bdd5b6

SHA256
c1e3585ea7650357f9d93fde3cca8d9a6cd00f659c99a1f857ec0a9ddc1af0d9

SHA512
a1859bfe1d59baafcb2a695a0c50c16304c1d4086dde261e60674d058d18e971e55a2a5c853927a321bbc47b2b0e22bd54d2a4bb8c6f5be3e4e99b2a0a6a2693

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f4b5d698c375cc11dd84a1099e382154

SHA1
b2e3041c26dabd1c1943df0a3f31a78765cad19e

SHA256
833bb35a5f7f1cb924592c3e4de8cfe85c1d59045b2532b1c459d2af9e6fab3c

SHA512
743e4b7bd3060499f36929b192c0c3b0d0560de35a793739db707748e4718dcabbb13bfd707f8b68f86f1968e5a7c8e8f8c407707c42ac0f72968d6fb269e0ad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
d60b51e979bee395e3139678cf1bfc15

SHA1
165864a0064c3375a53145852b69628e0fd688da

SHA256
1898f565ee55f0b6149fd76f2954d674abcd889994c0c9a57ed29d5097c00ba3

SHA512
b0b8d001170ad3069e38ff5717692190c1ff3536a7f9e56d4e2310a80cb1a726be43d5b443dcb36caf3f914ae37a6637d8a843f680feafb9f01a397840b6950b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8a4c24e0063e3ee0d0f04123f067acd6

SHA1
61002c3f978fee42b8e1e67fdf94fbf0084c0f42

SHA256
a01b6d3d31309ad8f7f5f62def80c32d843f23203b442c27872ccc4651fc7cb2

SHA512
f341c230769c5e57207d35d526e52076976705e59ddd9bb218a709f1ccab5b02008a514651f569645c0d874884930ef30a7b506d6428f973ed38886484b86a7d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
cfbcc347e935c47731694a13f8d318e1

SHA1
d4c1069933cf93373c7364a64af01b594170a30c

SHA256
facedea2c147d4be430f2a01a605a9c798ab1b652bd2e28a4fb9cd82c9a6aa8f

SHA512
b17bd6048f92a0b0163f346fd6b594cd6a6f9ebcac1d2736e48d1009d5e44ca661da796dd7fef15e01bad82f1cd519cf3c3d2fae988b8ef8726a1be68e79e2e1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
54773f40f2bec361b1bc6bbe2f1c75a6

SHA1
2a33446bae8c79ed711ce7a0b7f6a69feb989f1e

SHA256
ebf6ff55873a35942b8ec8688355da728175f4d37adaf509728987f6876ae558

SHA512
2202fe39d67926ebeda9f67593dc15bc27eee00bdab70f580e6650ce8142b7428b7779d6dbf16b5157fbb68477b4b7f637e7129838e51ab28d8e926aaf0b622e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a3c21fa4c1802ca5a72539731a71064f

SHA1
8e00c03f44be47d2d08bdaf299726de4d03b79e1

SHA256
796c9204c4347ee1d5e21aa5a0f3567bda443508b1089e7b524e8683b1a23203

SHA512
d11070fafa630fd557be266ca66a024b29deafc7968631f47da17ca4c3dd5ff01b569624f3d41f0bd1f5dcb23a7df84d949648e58ddcdd59c2fed31cf138a7c1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
391fdb731cc1d756f12d5ef534f05f2b

SHA1
d51d91f485699c3528ce499429f369e1d6d6ac12

SHA256
62010a56abdfaafbddce7f545c9c960f22a6e6d1fd1b55cfdbf7c00984431ade

SHA512
b75d7733e6f6654e3f846591f12caed38c7e8dbb9160325c13dd56f1b1a8ce65ccf8c70ea7a41a2f336cc0abc05c45d9750afc57b59ff27aa17407efbec40f87

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1a6f13354a4d16706b922962b87de85d

SHA1
900a5828bbdbcd4fe00f505420f87e15b2f76708

SHA256
f25caf3f1a691aa789798d7d0936783216ab373f29a784b01af9e34fb8688f4a

SHA512
83beb61473bb79f9638459685835faebf0b57e4e4318fb7135e874c197dc4e0ca0731c2f7f4866f386e0b6c9420e67a9867114b0661c63ce7171be33e8919919

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
f21dab485ce94ca68159ef1860281e0a

SHA1
2009808935748acfeedf1c62e60beb6274fb2847

SHA256
683380cbd027d6ad4639424cf5807adaab2469509b8bdd754e5600cb0a3b0cb7

SHA512
d0f7e3d2feddc3d3b3c25b416da42e053e709a30ed3109bf4aaae98f24b4253130ae2947999a2844c7f96a4dbaeeb5f9842b487a617510a6e813e8bc625cd6fa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8a5c6b24ea9802e9b9e4cf5d35bc6ebb

SHA1
1c1986d9ecf9b62e48716c575d0cd35bf56aabcf

SHA256
95f581650f4a3fd044dbdd0869afafa7a7f09bd627c2327a82e091a3c5bca37f

SHA512
9d4b22b5f650ba2677148d8e2686a09d500b2dba70fb44dc338af7c3e5cb0d73aebe35ad19dbde50ce9d2eda3143b7ff60b31281598091fdea825f42566abb05

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d3e3c010d3c395484c1b8c33db1925b2

SHA1
180af6802e3a435cc16d0229b9891bd510ec5387

SHA256
755bb465de8f59db9a9d5081ef3cc43c2dc6aaa4aaef55aa57d1fd1935c32559

SHA512
98be313a54df2724fed14250c08bc804ca9ad5daf8f4492f22fb116d1514a6ac0b805ec46f33cb8a36cc1afa73f442c303e19941a12220d308148e2ba59be6c9

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240524172919.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5c64274e990177a57b46b223d50934ae

SHA1
7cd68d2e28441c4b953a18d8595b32c0957fd4e2

SHA256
5e79379b3cf872a3d24e646c409a78698c97acdc9370b0447308abd13b26f585

SHA512
1eb26df3fddc36a7136850256d5f0257d2f07eb83b3dcb4e131c8e8b2e7b22d5243d66ab905ebd1553dcd827bbf28f2c97edfcbc53a91cd7178e580c07681a4a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
f142aae070ad2712562db3dda2e727f0

SHA1
a83d007936da4465438ae0a78462ab0630011b39

SHA256
f8b74fe132e26317da79896212888e3bcc167714e8946920bb90edd1e17d2566

SHA512
6f306ff0f41b26b4f7c496fc9c218ffc19582b37c6dea2c8e28c1f27497d20efa520335a8efad6dc479bc7c97653c228496aaade203c522c621a4e7fb18659f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
2cd879c3b1b25f881f4b7ab71b67a095

SHA1
e8c477526bb5bdddd659fdd44606060d83e703ad

SHA256
d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a

SHA512
95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5fde479def6901abbfd49a63a93300b0

SHA1
3a4e0cb79d74cbf46f39c00bb6c489b7e1e46953

SHA256
ae98f0f95d8c12a569659d43ac2dce59f1ae2044c85070e98c7656447b15a112

SHA512
e48ce8dfe9887546f02f3fce2334ef9837a888170ebfa452a707202b401a34375c4bea4ca0c365b47a46abb8acf710b5a1792149ec2eef7f8fa03df3a0b61d71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
28cc93da9c1ae7d3898eee798ead5a33

SHA1
59b0d97bec26dcbacb052ecfb8c374828081b0b2

SHA256
a90cac13f57e3a6039ed35cc440dc289f81e03472b2aae2117cb55998b17f72f

SHA512
38176e05f75310d2f090fbdecee9b9e073520155709e9864f64389a92e8089c5929d5f7fca49ba2e41a439dbae648ab882ec6e65f3156320dc084744122346c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f4cc7684dd7269299f801a657ed300c3

SHA1
ba5084222e50c84a69f37816e3c9d3157ed6cc70

SHA256
e289c2509ad6fed164da5a1903bf0290da7b40a7b2d852e2038be334b54bf149

SHA512
005658772e01063393088bf906443698c6227683b14162aef4f0508d2b49c6f8c794e0fcd600196ae62a58c810b0db33b1864a389f95848e9beece954d954e6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57852e.TMP

Filesize
2KB

MD5
1f497c78bb1cefe5fae1f2d3e5c467dc

SHA1
12ec3f79d43fc239252d3812f8f0c2edc492bc51

SHA256
e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc

SHA512
f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
f5e937a1231c1d916ca5cbdca02f321f

SHA1
b7d25b4dfd4e57eef2f070894b302652f57bba4b

SHA256
63517dfce44923c9b4f277482d278839598fa1a93d92577e7e751e265a58e897

SHA512
2319b8b9852d11ed48531ad5fded2294848a1e87253159a41c8f60de6467722bfd56b7ce73e239f0fbbef38595375e488676259cda9c5239f46c7cbc51aa4110

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
1564fc229f5a996f231c837ab1a8c179

SHA1
b0a78a082b188312eba9bf9b70884c2c0b23be9e

SHA256
f986e85eb245a9e6d2347c2e78087f181822029a3724a2b3caffd8c652e8348f

SHA512
a3b9e55e6b276dded0ebfd73dc209f2e64ffebde618a9b964f5bc3a3feebb51016a829c0d08a665f85b41d13bfceedf33e2829c458421c46d497e87389be147c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
8fd8e1de9024e4770a58e4128427ebf5

SHA1
30da7555298632b9fb9e0389b3f8be2faddb5278

SHA256
eb73be4ed2a6dbe21799537719a8441833a22f8731d0a2b6cfbba699f9701337

SHA512
4c02bbaf17b99a8211185f6d9a60a31883683001c4d1d0b89e379c7b1ccd2c801c6e08dee649c820c9642e1097f9c3aca7b59baf5f40014bd713dcd13c5bc357

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
38fccc5b56a58be2b1164ed16715d6f9

SHA1
dc900c775d5639fcf637cd4223d2663fd0c1a294

SHA256
29f19bd99c4a475efe4a01ca9ba27a31d8d4eafb8f09694d794467939eda8bed

SHA512
3e5c57de69c67d7802873e9f319f7e84957ca68d29d8c1efce77c8e6542699b9e1ce1417b719677e4b66acef9e2e3d21bbf2075adfcea99aa0df2feb41f464d0

Download Submit
C:\Users\Admin\AppData\Roaming\d6f945cdb4b1389a.bin

Filesize
12KB

MD5
a353055a2de383e1334833519a69b227

SHA1
265face8c150116b822e451da1c359e0a67b1052

SHA256
5df99854f3457a68bf57272bfadcd3f7a0783e3fbcb12ee63b3c2ba5e20c7917

SHA512
24777716f790b791511e33305991793577c4e4fa6a5c8a9cd6025813d6d0a60a5ece0b3fc127ff6a012acc1e4e90bc4e3bd5d572d64c56e63914607449cdcabe

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c15b505565db8d87de357b28f04bc812

SHA1
ab958a4792371275747e9f114ee9830abcf4a703

SHA256
5068fe6adc3d0952bf59ead59eb9c32374c12d403bd1655cc9f84cc0396a6366

SHA512
c1e67fc92fa6367282860dd8bd3c0a7cb75cf42f92d200ae26ac67591d6156f451e7b96bf6db30da54f9d5a5f8f612c81c6563300c16d09043ed43c7509a76e6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fb01a95f1325b017c26b8badd64650f9

SHA1
d92bec2e14b185f972d48f3e59101943411ec5c4

SHA256
224dfb1fa39da1bb75231fb28005229910f8cee56fd8f0aa857f4290a14e6222

SHA512
56fb9ec95eac04e034bd1bffd4797560fb7dd6135871d4ad5f39f2718a9a01404b56111ba82e73823fdeab072687bb6958e523a5161a7e3dd8783327dffa3ae4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
cb9f1efee53b63e4372ba0338f1ceffc

SHA1
bf5cbbb8c8eec03fbaab641050cf1a8cfd1a4376

SHA256
0327f33e958e4bfc1da806798075ffca4e3b2923e85b922ea6b66ac5ded2b905

SHA512
f8c70a6064259242c0be540be877d405662c55939e1490cbc76a031c459839b060520768fc7adf93053ef86e9a29e10edf94e7bdd3b2020c4f1aa78c2e7e739f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0ba3bc16760ae5dd9f0a4970e39cc395

SHA1
e50fc61fcc7d82272757ea8922879bfe0ff54704

SHA256
031dcb382934f1cb2f8e453d384ee6873f4c369f030c1de53b2cd47ba5b35cc6

SHA512
ba02ec59e377f146a0cf9948056772dca9d71d5c2048b5948a768e713f32cb188ad34573d1a9eeca76faf3e7dce959ecbdadfb450a753438d921a0f4a3e018c1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
aa3c22e4bc98af1437012753350f647c

SHA1
30d1cb825aa187b38714828208a4d9909f0002fd

SHA256
d67bfe9a7a3a7872e72f3857f73d90ab4c0daf8007cfb27718b7b31f100ef17b

SHA512
f4d8f143924998c6e1d2a0a8c09ebb5ee16664d335652d17898e4ff740f2b883a8807c0df1f34af79e711b2b8e079920b91300f04ff52bce23a8f1821dd794dd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ba085e1e291b78619ac2b862e380a511

SHA1
81ef98618f40200a13c9d2cee8a66898a3552b5e

SHA256
434c9d928cd7a934b266bca4e70e51f4553b7aa44485667a9835dcc077f3ca0b

SHA512
fdc404a7152bda66cfbeeb777f24ad07ba0f6b95a509094aa1b096e99ae2bf4a899dfc6d3b5d21010b5636a7fbaa7d394b8fd23b04294dec4ea70cc031aee7bc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
37606a3c0faf60826c7a659a75dd13e5

SHA1
628675b7bfc983dfd3e7430f5023cd06a602f080

SHA256
e772de045e36f049194b40eb3ce885b310c0e4d56da328a13707f308b695af45

SHA512
a05007fc1b50a97bd1e27d0d2a2bffe73cd50b7323da428f88d80ea05ccb9a00ccf07f7f0d214c6d80be99c1f50315052a6c7c1c5d2be7cecc0aba068a240e35

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b0dcdcd6260f9551384adf913caf31ec

SHA1
fdc26b4f38023d02e3de2d286c8fc54f24ed5acb

SHA256
dfb55951e963f3e29b40c9147c196bc5805669e8cae7519703cca9f612365a9d

SHA512
08283daeca3c7a433c27ea1026ffe3c32e5c9e096193fda67a5a10c8bfe47bbead1eb056878b38b100a608684c9d7e9094cd3072570bd74268fe03ac882bb6a5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0c7f0ffd3361ab5781ab03fdddbe7738

SHA1
51566d9bd8f0b7ef396951960f22dbcf5dc1d85a

SHA256
a4126fb89679e60712c08f2c217194910eef259efa18ae4bc078470cd7dd94d0

SHA512
acb41242fea8566b40b9bd9b74b4d1ec7eaf920a1bd43dd94c66ea288632c85f3861e73548b8f7f32bf0564b7515539ab170777d3b11926ff0e5c6ae35f950f9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a55aba1015a731371cd1bc32c0ed3b14

SHA1
65feb68f3c072747bd1d27abfaedea4939e8f688

SHA256
16d718024fc20949498400e56a6567225ce68d2521bd061c9ddddb926de9433c

SHA512
2eee55cfd2409a2c045775fdfd1f0c1cb7654925a30110e5da4727611d2f94bb5758defd3e7c714efa0e8ad2299500c55adf064223e7dd94b2b8e01e50a7f340

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ed04a1f09ae7031d86d0a917ef14b701

SHA1
4c37d2fb6f8681de42f1196f6ee2f92408120775

SHA256
93d96a8fb16c05e0c2e37817fcf6b9853380b9c8cff9a8f0071d2f3b6ec7cf11

SHA512
923cbbf5d084c6cf0c2e982a3a8290f9cdb0d79f6cdf624e1cbbc0f4bef85a805f97471f0dd5cfd7bbd0a03e1025d75d2f65766945ca13ef9f24983e0aad4d61

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1c73a32f22ede770b25c83b2e6ed3132

SHA1
1e8c97fb4c7e32c1787ff348190408c59e571690

SHA256
9bbc4efc15e1f7732045ecb9eba522ecdbd8ad469ee4560846fac6389a7db4b2

SHA512
c4fa2595c14b22c1aba72d1b10b18205cbefc097bd0cbfec2cf3224b0e007c85cd5244876d314cd7c965d7685c24e1c0fc41d76899d7289afc9969138e950f28

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
7c2fd12f732e2aefe015778cbe3ff519

SHA1
a77aeef72747f58141a51f09fe6ba961c45ba03b

SHA256
4fb6dc46f590646f7d4478c1c90e0150b126ea9f93fbb9a879e257c398451429

SHA512
23287ba5a459edaa604ac4ade654be0184047a172ff4dea47a8058e83bb642e0d71353e6d9d32d419279e12da78f8339645ce24b6e484d078be87f891e36a750

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
1a3f8abacb1c2829162c2d6f77254c92

SHA1
66263bb4e7e84028b2ab44795efa32002c6a1b30

SHA256
b1be66e7a5c4bdef7136a383f0d0e5230ce37b0fa7e067ea72a4f0b6f69e4dc0

SHA512
99c3cf08b5d3d26810965d9dc26a2b68d6480331b6f589244efcd17788dbdf999fabecaa48a20d9b6d43aea73870a79f41eb9854cf0db9eeffd0c78c317a5b96

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
58df0ee25641ed41189ebed94cb16e44

SHA1
1a5d7f8f1738ee1f00f3c45b3da1d14f234b39c1

SHA256
a80854c12b1b9a86b38a9c4d8f03d54a7b82405f63feba3a200d02dd3286d3e6

SHA512
cad81c158b365ffe8230397194e02fc32f9c9e184a188dedbc27fab3dd80b46a9db79aefcb17991c91b5f6c82693336eb2fee698522194cfd27643a219d4c8ce

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0cb6c7f58fcd40259cee27b481e165ab

SHA1
bea6b4aea18d4ade291d7e0faf22197473509428

SHA256
6ecf93e1283e682beebc96f6680f74668d44ccd795043aab6d9e0e401ea8b993

SHA512
01e00d9294e18f0bfe9e6962e32690122c50f9c9514a2686affac5980e6deb9dc2d55e96481be3fc3dd283cd25d1d10027c352f0d6be32063ddfb48e0d4a44f4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
3f386e35c4ca6b83872d4c6422aec5de

SHA1
fb6d31d72694de341b814aba06cf739e4094c9b0

SHA256
637964320a84c1467904e7503c2598e5c858411f31bfaf294646489cec957783

SHA512
461a2dd53fc0904d63fb42a8b098632c17cafb345781f3415859e343f76b7698ed5d669dabfd2689034ccaa89d21bd18b83d6789107261adbaa3cd8732fe46e5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3f691bb53a5502b266a8a0b8cd83d58e

SHA1
0037b709b2af9aab40b79bffbdbabb415edf7f7b

SHA256
41c0b4fc9851a62fe82c4480c92b479b456e81a28c2625caa53a71cba85ddb37

SHA512
c494897e0b3caf2a70be81ee72408ab37792b9a064686a0547ae21b02ccda3df27fb181054a8cf9a8ca9bbe68a66e6d724e36af3a7e8026e9db726d352c58f22

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
b2c359ffd4bf582baf62f6e8adf87a6e

SHA1
8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79

SHA256
ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d

SHA512
1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6078d215caea4bd210095449db96cb3f

SHA1
a41a3750c0ca998221843c5f1eea3083b354c356

SHA256
e3cbb25835dd8e036a90ebf23262ecc471437416de54a9b64a6f36e351b5aef2

SHA512
9a7b68a0a19ac6e60fce3d0a93b6b74ddce97505c8f8c7536bb06d1f653a968e0e7556c8311f492600fe11bf9ddafbb4f14f9d1377920d76b5ab0d22a0844d4c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
bf88563aaa797c53ace419d201281e18

SHA1
cbf09afb5b40abaa1dfe11ee92bfaba9cfb3d24c

SHA256
55ad80ec58fe47434437358958e1cba22630600cc71f8fd6a87e91c5b75ba243

SHA512
30cdb8eecf78e87dbb34682d8cf1a7193f4939658ea40afb919d55ecdcb3cad7b598c8ee81728ca5f0ba55d5495bea0fcfdd319958fc9247f0cc2703a5d44dd0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
2e4ae1a21b80e8ce7c9973a3e1c4e8c2

SHA1
1e8a19267f4d1ad0545b52bd06d13cfddf86d317

SHA256
ebb8177d1af44b1c043e65ea2a0858e72e8c6ac8285d315b567f3c81644cedd5

SHA512
56fb026a2c5f6f313d920c29bcb48c7ac56804704eefe36293e540a0933a076ba13f0cf1c618c85ebf98fee09f5afc81e97b21164019d9518b8a45a25e94b281

Download Submit
\??\pipe\crashpad_1704_HKQTRTCKREANOEVF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/408-367-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/408-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/408-55-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/408-49-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1104-32-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1104-41-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1104-40-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1116-216-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1624-220-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2096-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2096-204-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2096-608-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2096-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2124-217-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2232-213-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2484-218-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2584-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2584-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2584-28-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2584-21-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2584-6-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2684-101-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/2684-207-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2692-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2692-78-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/2692-72-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/2692-82-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/2948-211-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2948-493-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3164-208-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3276-205-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3420-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3420-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3592-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3596-610-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3596-223-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3956-17-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/3956-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3956-11-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/3956-510-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4088-95-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4088-89-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4088-206-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4100-219-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4388-609-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4388-222-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4588-221-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4608-209-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4824-30-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4824-596-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5140-452-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5140-475-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5372-465-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5372-612-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5952-427-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5952-490-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6060-440-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6060-611-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download