e7b343e26284c94d62208834b0d71bb1324997dd476aa7acf91e7b73cd71f05d

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
Size

4.6MB
MD5

a975e34bc8f789b282e3bb3ed9db40fd
SHA1

500dd5337423aa6af94e5f249fe60d23a813b3c0
SHA256

e7b343e26284c94d62208834b0d71bb1324997dd476aa7acf91e7b73cd71f05d
SHA512

15df074e4c8a567f2c9191e17ca0defbe2c97cbac448946509a1a510b32f264a020e260dcbb4f66764260adebb50f9ea88482e7e90231f7574d509ebc615650c
SSDEEP

49152:RndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGE:t2D8siFIIm3Gob5iE2+pFtFR

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
392	alg.exe
2264	DiagnosticsHub.StandardCollector.Service.exe
4300	fxssvc.exe
4612	elevation_service.exe
4176	elevation_service.exe
3920	maintenanceservice.exe
2260	msdtc.exe
3980	OSE.EXE
2184	PerceptionSimulationService.exe
2196	perfhost.exe
1212	locator.exe
4088	SensorDataService.exe
2920	snmptrap.exe
5036	spectrum.exe
2368	ssh-agent.exe
884	TieringEngineService.exe
4340	AgentService.exe
1996	vds.exe
2040	vssvc.exe
5172	wbengine.exe
5292	WmiApSrv.exe
5448	SearchIndexer.exe
5864	chrmstp.exe
1352	chrmstp.exe
6020	chrmstp.exe
6140	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a6628fa28beeeac9.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec7f2e6558b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038ba486558b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e557466558b9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c905766558b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4592	chrome.exe
4592	chrome.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
5920	chrome.exe
5920	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2956	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
Token: SeTakeOwnershipPrivilege	1600	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
Token: SeAuditPrivilege	4300	fxssvc.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeRestorePrivilege	884	TieringEngineService.exe
Token: SeManageVolumePrivilege	884	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4340	AgentService.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeBackupPrivilege	2040	vssvc.exe
Token: SeRestorePrivilege	2040	vssvc.exe
Token: SeAuditPrivilege	2040	vssvc.exe
Token: SeBackupPrivilege	5172	wbengine.exe
Token: SeRestorePrivilege	5172	wbengine.exe
Token: SeSecurityPrivilege	5172	wbengine.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: 33	5448	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5448	SearchIndexer.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
6020	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 1600	2956	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe	82
PID 2956 wrote to memory of 1600	2956	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe	82
PID 2956 wrote to memory of 4592	2956	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe	83
PID 2956 wrote to memory of 4592	2956	2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe	83
PID 4592 wrote to memory of 468	4592	chrome.exe	84
PID 4592 wrote to memory of 468	4592	chrome.exe	84
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 1628	4592	chrome.exe	95
PID 4592 wrote to memory of 4060	4592	chrome.exe	96
PID 4592 wrote to memory of 4060	4592	chrome.exe	96
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97
PID 4592 wrote to memory of 4828	4592	chrome.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-08_a975e34bc8f789b282e3bb3ed9db40fd_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1f1cab58,0x7ffb1f1cab68,0x7ffb1f1cab78
    3⤵
    PID:468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1940,i,14807334328329091544,1118546008752256986,131072 /prefetch:2
    3⤵
    PID:1628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1940,i,14807334328329091544,1118546008752256986,131072 /prefetch:8
    3⤵
    PID:4060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1940,i,14807334328329091544,1118546008752256986,131072 /prefetch:8
    3⤵
    PID:4828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1940,i,14807334328329091544,1118546008752256986,131072 /prefetch:1
    3⤵
    PID:1200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1940,i,14807334328329091544,1118546008752256986,131072 /prefetch:1
    3⤵
    PID:4564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4392 --field-trial-handle=1940,i,14807334328329091544,1118546008752256986,131072 /prefetch:1
    3⤵
    PID:3448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4108 --field-trial-handle=1940,i,14807334328329091544,1118546008752256986,131072 /prefetch:8
    3⤵
    PID:4260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1940,i,14807334328329091544,1118546008752256986,131072 /prefetch:8
    3⤵
    PID:1380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=1940,i,14807334328329091544,1118546008752256986,131072 /prefetch:8
    3⤵
    PID:6068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 --field-trial-handle=1940,i,14807334328329091544,1118546008752256986,131072 /prefetch:8
    3⤵
    PID:5484
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5864
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:1352
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6020
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1940,i,14807334328329091544,1118546008752256986,131072 /prefetch:8
    3⤵
    PID:5904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1940,i,14807334328329091544,1118546008752256986,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5920

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:392

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:920

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4176

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3920

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2260

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2196

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1212

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4088

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2920

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5036

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3408

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5172

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5292

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5448
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5348
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5832

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:6068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.5MB

MD5
4a317218021a89971529ba823f387dc5

SHA1
a286f173c0e08d32cb44ff061bececa37a1b2e47

SHA256
6c37cefcb2631035097e24eebf691e264e582634b0d9b300ff656591bf5a5a86

SHA512
4d40622a3396657223ee92756652f7900d80e7f4f56ddec26f70487cc8f528afe5dcdc1272147189c607a795e1fd1c9424ff1c8e2255c9bc34ac65830a993cce

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
aa03eec162e2ad7170d60ad35e47604a

SHA1
634e3974da54144881be40f9c3e08a4424831d80

SHA256
783402591a85075de4dcfe7550ec296f3eb14fe718654ad808b7eb138c7f2f1d

SHA512
5700a7dfe14fef424947df7937a811b42daaac9dd95356dae0462cd1296f4476cd841e46e28ee82edc0d6d4353467b474c16cc052e83fa3c66cb9ff24c0319dd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.2MB

MD5
5fcd76ea396c0eb5686bd3b603260232

SHA1
8a524de08eda3eec9190d9313fb68c6d56525335

SHA256
dadb780e9e1c529c8cab7da1b26bd111e4ced8bc8e4d7b75611c37ae6d8c7301

SHA512
bec092ee7c26c6984d1d444eb86bff65408a03fd72be78bd31bcbfcff67f07238cfaf251a87affcbf7c4808d3968cd4cfdc494c1f224c717a66d659445d6a6c7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
ac50685da60187cac36a0bcbba6b8e64

SHA1
ddfd7d7e76ab97d5e7a15bb25f66feef72c54800

SHA256
659475457d7ad3ed11cf01d333d4802e5478a3c5cb0fc2bdc92627be461f4646

SHA512
c1464b04591f7a9740a461d69c0c5d80bd28cb4c54d8517c539788234b9f409e7d45b50a0fc43b69764791554d7b58e4369ad1b61c887fc213885196e2ea3450

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
53c8be933ac88def4bed46bfb2c55ed1

SHA1
5184c58ef85204d872be82ee2d9308da7fc6ac4d

SHA256
0c0cb5dc8209256951b5df0456d6ad3ad068d8519aed0892ba6f1c3f291d7539

SHA512
5c0e2311741badfe5eb07a037b6ddbd1db81be6b326e9d7924d688eded65f5644c0d29b1ef087313ae2c628afbb7011fb47096b8b2bc45542170e2e7c621314a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7ff3e147931e65804ccedadc43dbfad6

SHA1
0969838c355a41e76ed54302568c82269ec5e4d3

SHA256
f3f5a7e03fcb0e057e848407d6b9df5ff2e4fa4981db48681f5bedc166ddb276

SHA512
cc7f48ab5633660bf0441d13d34603c94a06d2f92f6dd342c5ec619e5a49bb2d20054ff1665caec10d491c29013e4119692e459e70c0619a35d5bb3e20e5ed47

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
69774c9f61349f8ecb74611853301fb1

SHA1
7430d1f64f4f7fa971dbd36327bb1c35909516fc

SHA256
0919cd8aeeb904cda6c104c285b861586f642288a929bdb8056ff3dc5e23e3bf

SHA512
748a171283d0d7e45d54efbcdda907f0371a171cab744b343d6cdb75cb59cb03038a049b7468bd30426afb6a1a1d811ec8d3edbe61b7455e9b67bbf62bea7371

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
c1104eddbc412bd848a01d121997edb8

SHA1
d4cdf003723efd5cdc56f34a00e62646ba82814b

SHA256
04e9682c4eabbfa1f19930ad7a893b77f77bc88f4b9ac1d7285e14e2894aa7e5

SHA512
3aafdfc747c35b657420cb786d996b7be321820956a701632d2a56adb03dcfb4a0f88f97b89a0b0a39d3fbd7d194f2fdf2f8ef47cbedad183add1c2d8397efba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e190d2d5618c38f77d5f5cbac1bd5d6f

SHA1
189d66cc1c28980560c1e08edde23c117b64cbfc

SHA256
688fa0b7f488c8757477abe2ce9697fa4d4491bc33c04b51f12a34bae752169f

SHA512
28c8d5767d243b019b95655e141b81b1e6fd0921cf0135339c87b5876b907548020282e3f9f8f6054c54310315c4c7a199d98a26a3964d95957be5cad3e46484

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
79d824007e640948c0775578d1ce0964

SHA1
93b94b2d9ff90f70bb74b776154ce23077c5e16f

SHA256
af7d58cacb36d14bb10d5577b33c0d5a0c0747d55f95a15771528994ad7ad113

SHA512
96f7504df5391bc2d1c455d76c91f819553e94dd08927bb3813f10c68527e35c9b6562a041e82da22967af04175d2ab51ac8f2b97d1b1caebab6c8d6a506ad44

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
cc6914beb8e1ce54ea08e84f98bb2e1e

SHA1
749cd8236950e7c02e822f451b7f070fb99d98f7

SHA256
bc2a183ab98ecb50acc753977c2f57de6745f73c1732c46cc76837f012f08d98

SHA512
fc33e64981c42fe73d199d45219f2b1a922515df4e8f00112aa2ce0e52bc49b7db623a9c6c3e8541956ad77ad10e4ce151f83625c4ce74634bba6524215ab1c6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b73952555b81af78baadd80bec9a2dc2

SHA1
312e394326f29dc9f6d157091356e9a56702b3b1

SHA256
cd6eed63137af5e76f26a49369229aa774ee8308207b50d43f22620c14b3d44c

SHA512
332a4072cbd4e3326f12f4c086dc6c0a0bb7d6ca5c68d0765f705f7e192a34088f1a672a7a975f73f9958a30061911304b22f6e4a013df86b5409a9219aac8c8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a2a9e21a7ba510bc209a2fe44076e54a

SHA1
61d4ae0ae4b5d4761843989f4b68afdd4758a232

SHA256
e41f21ea26c34b4d8b011023ad64a63ea8f2e9695f60da55ebb85088cc0e637e

SHA512
a2890a5e0d1ee4e3d8638578967e2651f3c7442a9322cb23feeb9a2a37c0765a2672cea5129de147cf8c47ab1b83ab34451a039032a0783f418572ed0cabcc4f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.1MB

MD5
5f9bb2c9615c97b57cc3fe287dbca541

SHA1
dc1fd19f06ed888c52235fe2a53185acbfcdf507

SHA256
9ddb0b0082f990e932f81ccd23bd93e5539995f4b9ca93fbc67b0d3d18652fb0

SHA512
4034011a947a8692c4ade81d8b4bb1950868fe37e07901a5291363934762b129e149b2cf04a63fe352178d120ea66bcc718e105db1746da842dc6490a58ff952

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
8c28c514263c3ae9ff54265c0cc8feda

SHA1
ab68f5c112f27043a8dfe2bbc94227bb0a1e28bd

SHA256
781bc7e2d094cc1e0d73438bb6a2c65b83b12861af11f415ffe3872e5f4da47f

SHA512
b762608d1e0659f17bb7d636e89e94f99f1a089af97acf4e1d0d807f7854931dc1bc730d5a36e86855a3f5cb5fc72163596774e1fa2efd8d38fa34f9909d5ab1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0551980a782998c51bedaec69115dab1

SHA1
61fb0fa2d01146428757691cde5ac75cbb2241e8

SHA256
fdd1d028711b213a80b79037cc63862690b35c209cc0f21ada670ec3db70042d

SHA512
51db974c87a6355e29cac6f4e06148ab2b806bdfd17fbf1c141ac1204fbb9e3223539fb4d623db2102a61bf9282c0320175ca916530b970cd8fae336c4ce42e5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
2.1MB

MD5
4598366f1a327a71516dae647c717563

SHA1
b4c81ba2a4127cbcfeea008faee9e6f41263fd25

SHA256
684a9856505ffdad8d486783772e6cf213cc895cc8e244b1790a05a7b692d03f

SHA512
571882f0925997c97b198c353464c079ea183022b185b9236c558dfa3fa554ad8f0dd99f74ed431bc63229b9c45fe9b7b3e38edc4411c3fd4a125ec89b3b0711

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
1.9MB

MD5
1a923e7694e096fa2cd2cae942663a63

SHA1
c732938cb1e0660fc60d8fa0d5337d195e42ea14

SHA256
384293aa144f8422f2b884c87de6d9c685f596cc9cc4b54c866b9b4f2b8b191a

SHA512
5a50dffc491b166f5de9ceaa329cc136c796aa717c5eb3d3f24e1a7203963c1a7fa7b6bf4f94614fa997da544a7b673927dd6f43c3bcb66452807e4768ce20cb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
1.2MB

MD5
0ccf2047448c2af72809e7ca83450d8a

SHA1
347a94cf35b716fc8047c9509790917f75f195da

SHA256
1d8e77e8aac13770ac1239801b3ebc9bb5766ea9f8a0d1f1b249a386a11788b3

SHA512
8edd6df93160e58e8a6928ba8742985c8d6b902cb58fce3caa97322b262c9aab55e1f879d2b149a5921129a6b65e13755660cc8df5bd649999e12fc49cc8949b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
448KB

MD5
3121c5cb7967d7ffa771157b094e2c2c

SHA1
9c0a51d23ccb47ece92d84abf4b416083e27a8b2

SHA256
1325ec3e4c660f2f18cbb8c483a861ede212fabdfe182427263b5415e996d7cb

SHA512
6589ebd4342e608c4ce1cab0fd80508f5be9b56b421a4d39f1edc5e81da444db0471ee1ea1598a3de311d4a77c322d10de81b065b86a2f9e43a625aefdd56b62

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
1.2MB

MD5
bc2294243cea7f989ce70a2b950baf40

SHA1
150018174391cfa9a017d9358014b7295518e830

SHA256
ec8d3356bc34070cba149797fa03689e4cf052eaf1ef21d52bd1432903a19935

SHA512
c26bce45b1274d1607321027147fb7534bedf85897e1f8f67dbc6390072b4f4ad7f50a372551d0930eade4c70bf0840228554e6aeb5d938e9f231d452d679fe5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
280b651d0fd56330839ba4452896903e

SHA1
158ad4095837b2e4c71c33ae490196c3857b78dc

SHA256
b2306d5a651c53e8885f83399c94363b40799472ec952cd61d8fa5e924dae974

SHA512
e58637ad55f4912952f7d4f8b3cb7a06d427ac8a944a4f0d0fbfbd6ae1e8b687b8792d85fddf65a1e8500c2b44d27114794205e24462f7934d6b287d536c1d5a

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\3f1a4b1f-ff25-4a15-b2b6-6e3c0bbb5101.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
349d77d1d510dea9931a2bc95d68f6b9

SHA1
9cea00b4aa4003c66929c1d0a196d7429e09937b

SHA256
40595253fc4c908c12641263838f9eca6b1fee1610eeeb3687fe8279cd191ba7

SHA512
e4d5bc778ae9c0f473b2080ed6d9c2599ed4d2361b61ba8c15399d4cbe4ce73203efc379e0ee22317a326ce07ffd1a3e8b57f7c89a868384fabe6ee54345d66d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
068f805a347df1eac330406367ec81c4

SHA1
6a6a655b80b83c7b891d769bb907888836b16788

SHA256
6bb0989d7f628dae5eff0fabd8c660cd7f5e3f4037a5933eb934434607f79961

SHA512
619fd3db64702d0a054d69202c76d680f88068edf7554b76e4fe6bf007223ab4d5455b864ceed800a3fe8985ab458c29a652e4407e479f6ed7ecb05cd83cf0c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
90b8e3c077c7289cf4b7078243e26f76

SHA1
c8e3387c59c20fcff770b846e972a52f7f93591c

SHA256
001c51870a28710313d50d9037f261881517a384d3e502d9112b04ea2e8538a1

SHA512
4461003ce00d03608509d7ab645b933ec95c398623a1d8c6440c8a5b069d32e73aff391a1d3954511dfca7da698c0820970017b66629e3647800e5cc3920f1cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a153e58b2de62eb8c22983fd0448d28a

SHA1
02faeed7083447ac458128cf264f56d9c88c7160

SHA256
2b973cfbe23f642ec059c7b6fa6a0ef8c3dabfa7a2d0db04e1746c0b82de92a2

SHA512
5585546e9c091b93f968e003f9f7a2ada1b16272f1185de5683c423a13d92020226e1550f4b76b994e9f5314f7f19573c8f092971b79fea931457c986a7b35eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
eba70743555b9b0940e0f47fb42acd26

SHA1
d08a56b4adc02500854bf0d559576abc488a11d1

SHA256
383d47615c5c7c5e6fe7ad63d58efb03f50f3f7df55946b7ac615839186c63f9

SHA512
e9dddac9ad7eea0862c7f1e726e267e2ebb4b6ed2984c716171c771c6b1fd62a5e150c45ba8a49e9214dc1160f23f386fc352074967448801415c44833a05818

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4cf5f8e919e6813b3c74f0a36970a8c8

SHA1
9e6370948686eff5d584e210efdba0a9b8a6c003

SHA256
bb221b33b7075a9caadc6dd63acb0adee9125f0dcb2b06a1abe817c1428cc823

SHA512
86b1049a479b4931bb8dbb65cd761055a3dd3a39dad79315f8404eb407091e64d9aea5c07e66e4d8bc02077e1cfced0dd331326ebcca059b5b0ae88b7ec02817

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576bd9.TMP

Filesize
2KB

MD5
2439032641f0c53dcd64320bfa02af0a

SHA1
a1820031d22a713be8ff0a020783b7bc72860ae1

SHA256
13f018fd7e8d456a16ab52c9430b449ed2f126386dc10abb8d01ff752f92db72

SHA512
d9e02ab626313b138f721b369d987f45e68682f6cf2d76138195cedc75cea2237cf36677173a82672bf54ae9fe480b54f42c76af18e8e4c6cad76da85bc178d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
099d3b57a6b60031ffcdd3e28fa82225

SHA1
cb0c43507f12d8196a2d86dabd1a4be30e17a303

SHA256
68172c0cbcdd4f499c491208d443d5b22f1c649f7f015e2e3193fa368dda09db

SHA512
cc882fb6226496f1f4a7a1ca361fb50b58fe1bf9a9002acc5136802d34a76311ca9996ea8be7d52a3010de2e5668eac4e8b50fda3729992c4daae7d9deeaa695

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
a05d555dcc32fe2ec01ffa976c766568

SHA1
e9fe2747f05e3b36a118e7fc43adb7daeba41d13

SHA256
2d89c9191b307759de45b07fcf780c061959efd08b6dc9fa27c3d1fb3de298e5

SHA512
133b03adf3dd61b80ff09dcf32f490a6357978eb11959fcb86c41ad5867e4d1f587e8484e7ce2f12e126cc821279eca2b11c2ac279c180bde616718a425caded

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
7d6292b51b2a83a3215ea6daf2de3307

SHA1
32bb393108ce30f5b1bd21f1983be7b26179dd66

SHA256
6c3239c0d6219ad9116deb10469bb0dfa5d0a44f6930da7843506d90beca575d

SHA512
01fc383898b40a001af50f9020f309dcfa0574b0b08ba870e7634842a660cdce17b20384ec2f65ede39196377674674a559831774449f4b4c4ec213decc6389c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
36cddffd8e952d915be92b40034da2ee

SHA1
697269a00f1f4339c38d3020667f6863465bccab

SHA256
c6348628f589ffab376bf7cfdc760de905313a0e3d4e913acdb651f1c4d62b38

SHA512
552106f6611ee9255bb64358cf75b6c1c8cc00d5fe260c1e7aec03cc6fa949677b398d95a9af22224eaded6eee33ac4b89c6e0fdf33e9e59777a3c5236c56ee0

Download Submit
C:\Users\Admin\AppData\Roaming\a6628fa28beeeac9.bin

Filesize
12KB

MD5
3eb83ad32a354707ba05574215d470bc

SHA1
e67624ce8574a701389b4fdfabf185da85448024

SHA256
2ee41f1a8f337ecab769ed52f756031f3276156005285de778d42306e810cdc5

SHA512
c986958ab1c2c570aee71a2459c105b2b4f22465e2588dbf51f65b6a6a25399bd82c655931ccf5f82edda8e94ea32f5b438b5c148949aab33a70f60724878fc8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
26a3120a5633d0a21b432bf5fad69ab4

SHA1
dffa303a1d16961ad9d110357393e8b572050251

SHA256
243898a653996c855c76b294e51cfdbe47f9dd75257441416f589ac489850ac7

SHA512
03c45a928fc8473f419224d3023e9cb6be4e3c11354c1132415a655b70d5398b16c471be2421a3332e9b3e952ddc439bdc81fdd4e734ff06ee6588ff306772d2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
512KB

MD5
fcf2c956689bdd67e8efb9a08fb446b6

SHA1
4ccfa35a0fcd3404c4582d1745e969aa05e91afd

SHA256
09d2b3427ae85ee1fdd5930db4f6da3cc8f89ff6fd8620e6bd6141d2e82acb5d

SHA512
b8cf3ae39956d89b28d741e3a477f74b69d66e71d55da6c9eef57e1bc015d7ebec3274e1b15228d541b5049a2d6cf86c3911a7cc9e454cc9a9c7d4be467c81be

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
861e6abda750f4779fee1e956b2deab0

SHA1
f54f3a4d8de1d18bd4f37379d4da72353cb69fe2

SHA256
686e257efbfd46ec7a9b821bbbdd1712139b278a84c90a784f8c9ca562d7677e

SHA512
e7612cf80ebc167294d0cf9731af360ee7c22c85abcf44a176e703caad0df5b931c3ca84752ad980a38db0f6a0b5f7a4fb6b5a47f73c1de6a881de3cf209cebf

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b1ec825ffb3596e2b79454f1ff5143cf

SHA1
71f53babf660626feb02f5f75302e52b1c0b862a

SHA256
b2bc3541c73add71938d6a0014ceee12ae82af45dfffac0293359567cb835f37

SHA512
fc364eb7feecea3f4188cbcc8b2e25fbf07ea4b40d20983e128bf0c7699ad2a1b316d263d194b0373b523f4d84837a7d71c6f1b988e04c16a34c1119e263d96d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
71b36e72d734266b848460fe2f6874a1

SHA1
960e310db6205f48c1ea37249b3305fe59d55a0d

SHA256
bc87e8423f36d3fb5e63cac81860880b8506487d6bae4d2b52327289a3b51e43

SHA512
1703fd6050a6f67eb2964625944743e96a8de469c17cc13f846d4c3b0dfaae7683b645d5dffef14c15dd65d701f012d87dd42aa49f7af4d36b1e6acd3c9a5d90

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
448KB

MD5
804fa687158b7de1cdb027f7be0a49c1

SHA1
5184639858e7f634bb9f7ce717e88056a96e619f

SHA256
90b137610662a72fbd2c14b8f1f486b33434d6915416bbb130e532aa40f226e1

SHA512
d0d2c7b297c9e5d1a4befb0a1d18e684b737b5f15aa885f061930e9fd070ef28e9ddfbbfaa0406ebdb852013bfad00ca4e8749192f14053af5635a6f1546dd93

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
192KB

MD5
cf62cb9132b3fb1c0bad5c1a8a662428

SHA1
0b1abff788b091b9726048063b7a48ae2119ea41

SHA256
8da5375dc73a5f9155d31b85f630e2f1708608a82320fb20c10b28d6ae600c26

SHA512
2e17be646f4a86e1646f179de5e92f1cd20cfdf18e594b107b888d411c9893da62a4fa2d0fbee4b6a376f114e8f491551c04a8173fd842f71df80eacaa279d59

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
2b59abe7d1c4c5fd640487fc760e352e

SHA1
a5fe08a1b9a7beeb110c7a595bc9d00824230af0

SHA256
e18d077b85e524c99326753cb3149ed4d5784c4110c85610c5444e324df56cc6

SHA512
6d15475c9edeab847288e3ff7c4f1f08b7c1d184b6c83bad942a84600acd6bcb649046e902845f2710550a967d51d7fba7b4039e39dc28841970f74a42586f5f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
448KB

MD5
4b17dc5fadf8a4980a7c0a80c215f8b4

SHA1
d8ebd45173fcbc67a65a9468187e05b19f1df2d9

SHA256
dfe4292411b8932a0efd677f4e450321b72ca2a5ccdb22a8120bd2d3704804b9

SHA512
c91c381dfe35e56241c46eca9d0c5d4f64a6cb64265674f8ee891c87e751704c7ec197608387bf48e9b244cc559188afc2fa2ec8f4f5e20cb7ff7821edf6753d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3dd1a1807cfa586f7d7bd26807554762

SHA1
eba78f7d099f63542e35bdadeef68fc695021913

SHA256
8a6580c2e626e558da2cb3809c50f6565a70e359ae3cd817b5418c1fbea604f1

SHA512
1ffa603a7e715e8df7538d06ea86b3ecfa53199ec235f2596002b9089b3bdbae34f97f7cb0096d10677b92f012b0271a709911e3b6f1276d8d651dbea02f2b63

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6db4d4d5595b0ea726305044c0bdf525

SHA1
bf70e697c2ef213ee168b10f5529004f1fea05cd

SHA256
f9cc4497d4c9dbbe9a91838a9b29d59886d55a2023af486a5fba334d2262fdbf

SHA512
854e887a0fcac8e63b9dba70f6f7b38e3c006a8f01155671f19baf3117381d526d714bc6fe02b77f4beed76268fe9f5e6ba0bae88dfe8d5dad2ce716b461d9be

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
6b7b48b6f0303b7e9fd19a37d1e7fd38

SHA1
2922d1b480220fc00baf2a1fdaa2fd8de397759a

SHA256
7857ea7308bdd3bf613e39436309f108e2fb8179b756ef63252c7c19555dd0cf

SHA512
e85069ca8d6cc309e212733d4095dbcb9fd8aa974961ed48bd5b3bcffd7ba960770c2096e500c555eb263587879dbe58678fb233ae391701b5c7cf2aff58b7ea

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
448KB

MD5
4b596fdd724cde002fa2b9bc9ac56f62

SHA1
807e794031eda9dd4db49ff995b386c3cc31c19d

SHA256
10fb2a2e86ba66ce030b095a5cbf99359a211b741e1a18b022907e5db4998248

SHA512
08e440321630efdc2cf6e75dcb13f21a70e2058837726e60f135918c10287476fc4b8a327cd39d4408ce594df64fe9da5c1682b05def84b93dfbe2f9d0994256

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c4ca96b635c7862012326a960f197d4a

SHA1
ddbcc5292be48a94818ea375e47c2f76dbd8393d

SHA256
57aa30e1553454a21cd03b303d2114a175997c0af8f11f3870c020c4a6e52629

SHA512
fada1932eae3a17eeef20db306bb14e073477942b12226c78bf104008f5d99ce14bc0fe9bae61d6465064d03eee411b2c7484cfc44fdf534c21a82b75d57a548

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
af3ba73366e4c6c869a9f08fdcdc821f

SHA1
02e59e57dfe3d839c25857df2b4983334870cd82

SHA256
5f8d107bd8f92f1bac43dfea00c55b2a341004c45368b64a43d0c3039cd875d0

SHA512
c522ca0023aa7aee34edf062baec3a92d2177e891caccc4564d0c17fd8235ced68c3ce83dbcff684034a07adab5db21965e4589d642d2b625da533d87d21d4fc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
8f41b50be154b953eb20ddbeec7314c2

SHA1
18d2eaf70d8230d26b744ab030cb0c38cfb1d7dd

SHA256
1fbf979941633fef6be9a673a39547ab697a3f3f7cce8ffd672edf0fd7be66fd

SHA512
adce5edccc754b58ba6f818dbd487a395cd63bc807e6b4c8ddee7539e471987e14f1d65ca491901fca54889239efaf9e2892eb12795c52eedf7fe2459dfc0ace

Download Submit
C:\Windows\System32\vds.exe

Filesize
448KB

MD5
1b2e8a85015df542f6b1014f7a69ab0c

SHA1
26e9e25d6f1ba3a418b6f882af837ea3ffb5193e

SHA256
6d97f963bb4c59dbb8572689705d63d2ac3bfbae8b6aefadd9c34dc7cb8ba952

SHA512
830703aef8599c4bd176d4662f63f59093693b3d12de8199e0695965039b1120acc116ea502b58a8b943727d24105c9882888a9a1f3ede4c90242b0ea9c37cf3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.1MB

MD5
a8e6e11f5bf904e2675bd7e6d417fc62

SHA1
b26a3df0550dfecb7fab5736a3fd8abc52d693dd

SHA256
b917828b54e3c2e3b154546c0a7b4e672b0ecb1d2736d8a7adadc8f69ea17fb5

SHA512
e66cdd2b58fe0aa1fe19396da5d81232f3cfbbd7d7f24ec0777506c8bdbfb948cc960d9ff1b84f8e08553b9e1de2c7d0ca23b53f36138616659d210b9f531c12

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
448KB

MD5
f96fd0b3bcc4ea07b93699e9d25f5b0e

SHA1
a9217138d7fcec91dd464c33b6c23e117ae5c0b9

SHA256
4ae1588ff1a36f0c5cad5bf1ef1d169eb50b602f2ee239c9d742029e8c83082a

SHA512
2e241e921fad8a4f030302a402e4ec97af69f566f2594738a6213bd5e0fcb5a828e4f9f6396bae2a56f45bfa9d28dbb5d4d6c2c9a401a878f4c942910967dc6a

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0a8c17e97526f751a8aa475e8c8b7983

SHA1
2cb070d16a547e867aca22af457f13c44c17d0e2

SHA256
81519c37e7b764606c063607c2fdc287f28845aed7cce899222c4f714f16f860

SHA512
40a71708d63ea949f7132ef01340b3202eb349119623aa849b0e103e4b7ddbea543ba7ebe98b255eb58e26ac050c09a1dde89327f31deaa77f483dcf16136593

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
d447ceaebafea65a737d8d2a4fef30a7

SHA1
6db7c3d1013dcbf0c245f0158b7f8ea9354edbbd

SHA256
f559244172bbc017abf2315d035e12c502360cd72651deb9c50b464da58fc2f8

SHA512
e0f19985b477163a36262f9a01650ec2c9a975f2275b7d830ff73c601939534686e65993873dabf06bc2b1843005d21e2a7e4b5b0eeb0b5a420ad4a4b1a93a37

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f52b8b5cfc2c9a81d06cf731258b3a22

SHA1
ed879e9e6629aaa0677b6a7568c6e46325d0647d

SHA256
9cb5b15c47950b4df05cc58145b7969798cf0287b5343e68fcd979f26a55615d

SHA512
ab32917506988bc888903ee1abbbbb6a95ef932f6cbe44e16525759856244d1e1cad00fad91a66d96d6fb50fbfefa524a2bca0649228118915b7d798fead0949

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
ce3572f5cdbf6cebdcba37e387560a07

SHA1
0a0e3d552b807314b98d0efd8cd6dcf175221b30

SHA256
8b9a14274771bf0a07a5ce1dd7abf906f74531e4090529094a1842f82f336410

SHA512
85ce42405e61e8c97566c750b7590809c102032200cc0e662bbae707e7c3edbc58c43dfd60df444f830653a0de4cd0df65f6766dca949732195b13178bbf24f0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
ee2885c6b0e50fba5bb5089fb8d8914a

SHA1
f40d7d7ce720b332025de04c36bf5339c16a8004

SHA256
5cb7272166b522585a91ee829bc5d882b142ddee3d00ce13b5b9c7ea64f128d0

SHA512
9f0823bfd5c0f4b88d9322042a0e5b96ba9fe879e71a28d711699a397b24e8b7588888652d2d7326d8c935189b473a7c30a08dd267704f12a933ed36e50e96d5

Download Submit
memory/392-40-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/392-162-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/392-41-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/392-31-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/884-241-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/884-548-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1212-179-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1212-297-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1352-518-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1352-780-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1600-121-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1600-12-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1600-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1600-21-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1996-267-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1996-626-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2040-281-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2040-635-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2184-272-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2184-144-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2196-166-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2260-130-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2264-163-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2264-52-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2264-54-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2264-46-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2368-532-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2368-228-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2920-495-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2920-194-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2956-9-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/2956-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2956-0-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/2956-27-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3920-104-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3920-107-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3920-94-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3980-132-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3980-266-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4088-321-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4088-190-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4088-629-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4176-80-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4176-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4176-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4176-225-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4300-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4300-89-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/4300-92-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4300-63-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/4300-57-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/4340-256-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4340-252-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4612-178-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4612-68-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4612-74-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4612-79-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5036-215-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5036-509-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5172-643-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5172-292-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5292-776-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5292-298-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5448-324-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5448-779-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5864-506-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5864-582-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6020-536-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6020-571-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6140-781-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6140-551-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download