3e527ba8da88d2fdf91564359a8d046c48bcefd38eeae3d2daac53f948034715

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
Size

5.5MB
MD5

46253377db39227a49fe1ebb50cb6e98
SHA1

6870050890ef82e979490c659cfc8d2ce7da551e
SHA256

3e527ba8da88d2fdf91564359a8d046c48bcefd38eeae3d2daac53f948034715
SHA512

907fd971724d277db2204a2e2d116b6bb7bb19faaccc2ad7dd7900ba79a04fe1b3f05a6506ceff8f9906a0a268f261d36097fff58620b57b6618e2a28729f6d9
SSDEEP

49152:dEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfh:hAI5pAdVJn9tbnR1VgBVmnqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
636	alg.exe
3944	DiagnosticsHub.StandardCollector.Service.exe
2452	fxssvc.exe
3256	elevation_service.exe
3960	elevation_service.exe
4076	maintenanceservice.exe
3468	msdtc.exe
4844	OSE.EXE
2796	PerceptionSimulationService.exe
1984	perfhost.exe
3036	locator.exe
2100	SensorDataService.exe
1268	snmptrap.exe
4176	spectrum.exe
736	ssh-agent.exe
5032	TieringEngineService.exe
2256	AgentService.exe
4448	vds.exe
1612	vssvc.exe
5616	wbengine.exe
5740	WmiApSrv.exe
5888	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cd6256a2c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000632fe1c9f1b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000911ccec9f1b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000f888c9f1b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a84013caf1b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca9848c9f1b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e7fd0c9f1b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000098635c9f1b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
3956	chrome.exe
3956	chrome.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
4928	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
3956	chrome.exe
3956	chrome.exe
6044	chrome.exe
6044	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1860	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
Token: SeAuditPrivilege	2452	fxssvc.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeRestorePrivilege	5032	TieringEngineService.exe
Token: SeManageVolumePrivilege	5032	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2256	AgentService.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeBackupPrivilege	1612	vssvc.exe
Token: SeRestorePrivilege	1612	vssvc.exe
Token: SeAuditPrivilege	1612	vssvc.exe
Token: SeBackupPrivilege	5616	wbengine.exe
Token: SeRestorePrivilege	5616	wbengine.exe
Token: SeSecurityPrivilege	5616	wbengine.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: 33	5888	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
5252	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 4928	1860	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe	82
PID 1860 wrote to memory of 4928	1860	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe	82
PID 1860 wrote to memory of 3956	1860	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe	84
PID 1860 wrote to memory of 3956	1860	2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe	84
PID 3956 wrote to memory of 3572	3956	chrome.exe	85
PID 3956 wrote to memory of 3572	3956	chrome.exe	85
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 1628	3956	chrome.exe	92
PID 3956 wrote to memory of 4052	3956	chrome.exe	93
PID 3956 wrote to memory of 4052	3956	chrome.exe	93
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95
PID 3956 wrote to memory of 3356	3956	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-02_46253377db39227a49fe1ebb50cb6e98_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2e8,0x2e0,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86ae6ab58,0x7ff86ae6ab68,0x7ff86ae6ab78
    3⤵
    PID:3572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1944,i,213721418974041493,6829893959759213007,131072 /prefetch:2
    3⤵
    PID:1628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1944,i,213721418974041493,6829893959759213007,131072 /prefetch:8
    3⤵
    PID:4052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1944,i,213721418974041493,6829893959759213007,131072 /prefetch:8
    3⤵
    PID:3356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1944,i,213721418974041493,6829893959759213007,131072 /prefetch:1
    3⤵
    PID:4372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1944,i,213721418974041493,6829893959759213007,131072 /prefetch:1
    3⤵
    PID:4288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1944,i,213721418974041493,6829893959759213007,131072 /prefetch:1
    3⤵
    PID:2812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3936 --field-trial-handle=1944,i,213721418974041493,6829893959759213007,131072 /prefetch:8
    3⤵
    PID:4364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1944,i,213721418974041493,6829893959759213007,131072 /prefetch:8
    3⤵
    PID:2276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 --field-trial-handle=1944,i,213721418974041493,6829893959759213007,131072 /prefetch:8
    3⤵
    PID:5388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1944,i,213721418974041493,6829893959759213007,131072 /prefetch:8
    3⤵
    PID:5396
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5780
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7dce9ae48,0x7ff7dce9ae58,0x7ff7dce9ae68
      4⤵
      PID:3716
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5252
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7dce9ae48,0x7ff7dce9ae58,0x7ff7dce9ae68
        5⤵
        
        PID:5324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1944,i,213721418974041493,6829893959759213007,131072 /prefetch:8
    3⤵
    PID:1500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1944,i,213721418974041493,6829893959759213007,131072 /prefetch:8
    3⤵
    PID:4476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=1944,i,213721418974041493,6829893959759213007,131072 /prefetch:8
    3⤵
    PID:6140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1944,i,213721418974041493,6829893959759213007,131072 /prefetch:8
    3⤵
    PID:5216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4740 --field-trial-handle=1944,i,213721418974041493,6829893959759213007,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6044

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:636

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4488

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3960

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4076

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3468

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2100

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1268

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4176

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:736

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:648

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5616

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5740

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5888
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5976
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
04bd5a6ac15ff98d8e452dcdda22050a

SHA1
b12475bcec49e1237e23f1e7ce81512f4ba6bf75

SHA256
e7ccbb91304322aec1e6075856ed84771e2bcd3587e15e87738d5deb5695cf40

SHA512
58da47d198c1e4bb5ba76496a1419c68921275d3b151c1ddff2b23af83df90e1d78b81abb9d93e4b3263fd29829febd8f71087c4a170f07f2f956d8d2dd3e309

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c3cc63825cb786a136bb15d6b4915d19

SHA1
ffbdd1fbb036b000769f87e5570a806155b62b0b

SHA256
a04a708acb0f6a99478eaec6f70f5b3b420110dbf5c3daaca5f515b022e900d0

SHA512
79418480dc5cc790641404b73f9e0413638471e123a63719dac7f9996e0249d9503fc5427d6b69ae3dfd84e02b5d7fcfd58d51c377b733a7ec55a43c984c8226

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
96d2ac6b7f3a818baf38242bc281567a

SHA1
e1e9ead26a19606f2fab50a4a97844ca2fa470db

SHA256
b8df41abd8b69f19aabcfe7774111e9287ec2f9399aeb736aa17ceaa5f10c459

SHA512
5e9c442a79178160690e5e4a618e2960caf1a71a86354eb006321d802f80954fd61ae448442bbb7487804f974458f41cc570522f86a8b1521d5474c8919fa4ba

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
42b3df3e2f82d4cdada84bfbdf0df7f3

SHA1
5bdc547677dcd731ecf30d06dc568c31a06e228f

SHA256
d0182630168c09b32503c8f852508af8e83b6274f31bd0d5f7dbdfe995acf3b2

SHA512
9f8f78c80ec435d9fffe603c8a178e10a0cb7bc4f1340d75a8f02fb256c5855710986abbd6da8d87a1c10626e11c1e2a87f1bc848cda8950971c595948b34a72

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c377d36dac13d44ee26849a065994fcc

SHA1
0d538232f2a03bd65b71bac9e613914274192d2a

SHA256
34aca88c0f0bc7719c3120859bae2feddceca48d87ded6ad0955bed43674c45d

SHA512
8d5d3f73d001aff8dd733d57e4470b5a4447164cfef490540a1bf6edbc24ab472ce04da2cf14b1597d0b4c62b131e6479e36aca384456763aaea07fd303bf685

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
ce3f8763b6f25991e0c982c66b38fbf0

SHA1
3105578748c801ce288fb9dfba2595fb676541f6

SHA256
8ef518108518c3c0886d23ca2a93d2cc5ae0dcfbd7a85df33298bd59fe8c1453

SHA512
6ffa617cfd765e4afa2513845a45b4d544150c7ca4dd03559a78c57522070328d2f641e92d1a523a1e18494a1c65a9d2fa3b2b8dcb4f0a1462dc77bec13c67a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
47edfa5ccea672045e587668231aed22

SHA1
9fd8e780310c336786deafbfe0e1a7f46454b1d5

SHA256
ec55901506e266a322f8e6906e5f90d0f23ac21f79d6139dfd1ab2aad973b0ab

SHA512
fcd18b1455ca12a40cf7b096e7cca439c8947c779198d26e5514a72d690a2805d5e3be5016b8921b0b1eb358e2996a27433064032a15d427e548d3cedaa2d7f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
05221827612426807eaf5d1a414a4bb6

SHA1
2d15366bb567bb3b7a7457fdd93b39adc3ded9a3

SHA256
08b6de4b02e3c264c71b376dca0db9a21ee76915e015699e4b63eb4e3795f092

SHA512
0fb1279ad5dcbeef0298bbe7686bc93a92fa3eb4d5718e5a35b12a372c48ab73899614f4bb6624de5cee06ff624e93760cef5bc2bf3125be13d964d378e4cf30

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
2c1bd756ff3443060f71692064832f92

SHA1
4940ea8c09e7e4b661af9b7b7d31a8a586111501

SHA256
dd2265180ecc86a823583c0d1cbb5e093ba86a27eeed8b5ab0eba6f8b71abde9

SHA512
5b55450c00ee2b9f569091908721f1f0d4d712a8a9d2b637cd7e8da05f5b9140dc0d5cf4052f2521c2f95792e11465e4a1b627cdfc56d5b0d9c9fab629b77fe1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
322460be48bb0f54fd673213ecf7b25c

SHA1
2414e445044f7a12552939aa1b4261f022d3ef35

SHA256
3d5d5afc384915841d9ad31e8f3cee02fbe2b48eb5799d7b7a4999f8451a12b8

SHA512
922ba1eb15b05080834f0561cf164a1dabd42506c91c87ab518c703cfb61aa36551cea75263bd4ed79651f18e43e2974ac25f6c725ebbcc93b24d593633135f8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7ff916540e01a492d6ae0be9e1e090be

SHA1
2465052245b794df3b8518b1c3b526267757715e

SHA256
8a161ddf30ca3dc599421f480d71f72362c3596b08192c8dd6d754dfcd7c1a99

SHA512
3ce597f8b641da7a4e3a9b28018eb1045b6454a25eb52eb936666621dc8350d5713fb4c84198b2d4341dfb3258905583ed57295093473a980bc4f1ba59293126

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7b1482dd397236ff68091fcf81c31660

SHA1
57879b1de0db56e904c1ae83db06309f369f90fc

SHA256
075ce52c7e4b9562f246c4e8883f16798bb0b65ab100ea00b2efc05ae74cd75d

SHA512
a94eb71bc37778b492ca199062af11ff70e94e9545d3d4e1e589d44d57400d1563d8fee46d65e5abbfc1ff4cb531d561a659c6cc6b93d5cb1568e803528b459c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
9a0861cc43ea77d30ef818bd8e48e21a

SHA1
241461ab7cc78ca4f294d3d27cd40cfee7b1dfe6

SHA256
42ae2029101fa5db36a3813c21c52aefb8326a9de897b87026e9a7daed768a18

SHA512
ade6aab70bc5f6483e545da3ee93a8cdabe7c8e2ab4cc48398d41cb9274ca26085a0510d426fd5da494df6c05431fd706b80168a64a725260f211220239f989c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
26657dbcbfce6ac1cff2bdff3eabfd5d

SHA1
1cf988126ee11e90ba2ba199b111e5e2df15f898

SHA256
6e103919bedd5ada51ec84340079dc883ddea7a2ddc96520786eba674d548e4e

SHA512
8540660b4ae03cbeb3f2bdb4514cec223a3b64a6e345e3c9d6b293d14d0b7c442515c48438b21ac9483b0f3fd8e913c5d57a6ab53c1977285e0c262f8183eb67

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c8be2174aa61911a0f55baaf7354330c

SHA1
ae5de3cd52c36c93b27618667b8de08d6346e183

SHA256
5dfaf1a0d16e41778663f5c454c9cf826f6871d0d9019e0e2e27d556b9f52122

SHA512
09e2e8cefafd749d689ab81cfa9463748979fb1af236819a9eba915151d8cdf3e0eeac4d9b74df81d995a15462b5c01b5f74745e132384fbae1b469d3ca5fde0

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240602133549.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
29e8cbd2e2f1e1fb2d226950fb897698

SHA1
8b997121939625ed0193d47e547fe4ea46db23fc

SHA256
88cff2c8f2f3902076f513511861d33cedfa1eb38328adf584dc2299602ed10d

SHA512
81e0642ace930deb5b8295802dfd5eb2c6562db1e2e34b0a5fce594efc1ff4e376d25b649d5ff5fae730a216e4e5940fb8f079bedd122f213c09b9ad7aca4f61

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
58a659f491e9f22b16b7c6bf82e81ac7

SHA1
43324fb0be5efc24f1a4a2e20d1d8cddfa3166f1

SHA256
406063c6dfad8427cb740395304fa0cc3b8136f8623a353115a02e4d51024ad8

SHA512
4f86b804dd1a9388702a6d3a4ab4cf87c2bea864b8583aec49cdde2cf9de7e1a30ac3aaeb73fe7f2569c2e72629261c9d43b770da0c8cc5a8674a3e17c5f0a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\67cad450-8dc2-4380-a830-29bf18574536.tmp

Filesize
91KB

MD5
11dd9d3c6f54c8d3d6e3012c6afbd976

SHA1
57d8145106ca31623c29bd0b5130d6bed0a8e98d

SHA256
4f1166516fb0b744c751be0fd2ee45e5a9c726db1f43f617d72638f1ed259d3e

SHA512
515068f5e891a48ef63bc2a8d004bfef16b6dcdab7969eb1c3e1b04effcab54388ad5136a2819eec591f774a664ff4c6121d02b804f95921ba2dbd9697eed430

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a36b3ee2a93f34e5020375e94f0f36c4

SHA1
166c19d472501476c96921cd17d44fa2c6dcdf63

SHA256
0ac78a0dbf52be21af8ee8cfbaf74f0056ca0abbc971b3a0df57c75af3da0798

SHA512
e6e0c7b3e08611a48f8563264755cfb6247bb2f7c732e61edbbd320fd1483cff27cbccc6119d134b5060ff50fb520bd70f0c8055bafb26ecf8ed716684fd38e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d4eb7e6c2b1ac427624a4d9f99bdb5a4

SHA1
71d3d34b207822c8c4c9fdb772a7e2914d1e0ce4

SHA256
ccc709f92ae1922fe99a59d81f9d9b979ce6c3a8ad7e6be53fa42c6ed5ce8f1a

SHA512
9d94bfde147ed60e1b970468d193cc2418bcc2e34b2d9ffe4133c3dacd1e93fdea60e6d6ef63c89b5cfb3e15360321511bb3fc53a51d72fb7d4b928e85c3eb06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
99d8a9deafb71cb781b06389e2904904

SHA1
43a8dc311a95be27d4c1cdd154db11cfdae55ad3

SHA256
df4896424c63a6b5f5ca15e6ae8fae62ce9c4715a5cb8f46e8dc456c138d8e08

SHA512
7862eb16215691bb14f91261ac9a6fb10776d096cb6260703108f3b72e7822f77725820143f13be430ea8e2568eee1aa8274afd679611884c378786be5bcfd56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5775cc.TMP

Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
3ab719e96457a82eae971503e17b3267

SHA1
f9370450f2b5d5512f900ddd78c604c590539cd7

SHA256
f99ee65f01713e381c7b70cda098600280e697efd0066ebae731390a7c524518

SHA512
0e1f72f05353714976ab51af65ddbfab719a18340aee1ff4de9cd2d9dfa137fd222b4ea3e8f76cf139e4a8c054153debdc0c5f583c04c509e90a58b4c6dd3878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
f1aa1fdf99cb881f59b8a99920269b61

SHA1
ce79982ef2a9ad4b2e9badf9c7bcb38206005f5d

SHA256
82ed9b45fb550508649f7a15c84215c10d3904dc0e1d61178815ec927f6ae551

SHA512
a8c02e6ac9184a9c4bb042e9633c8f84b93809ae3ee11a0aac733a4d74d4ae5dfd5f3e125781fddce8e2e8a50fbbfbd25cae69e6de6ce84c85952e8e79918646

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
6f5a005330f0dc29413a802e256f2015

SHA1
7be93363fe46216742c901a80f2c4f0c5f21297a

SHA256
8944d0efecb1644402f48647b2bf2950f563f66ebda9e6803f1360a607ace515

SHA512
bdf7ad3614539a711f9c93adffda8c98276508249e67b1a52ecd676ffb5ef1245f124bff38bbbf06f82dcf26cb8ae9340675cc2a2db707da2b5c072845c9371e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
6ad4d858465e43905c5315e1b4cd8355

SHA1
9b4bfa9a3ec09d414bf6b2e1788f690957b2b10b

SHA256
1e2eac9c8a25f962b4e079918cac57cf8f8334bd02fdc107b0c93d05b3a02cf1

SHA512
eb0c2fa6d776f7642987afa103e36e5405b9fbbfed8bd1e1040b6aa7a861b224f35de8a79f413769d13345d4fefa688d584166580405cb179f29c8d3ee423eea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
282KB

MD5
6a0a17ad0fda7b8c093937908090027d

SHA1
9b9a7931a5bfb44d0e7db2930c76129e7e689f8b

SHA256
8a6e7cd406183cbd552988dcbdc568e83699185ac253f59d3c9ae88051af261f

SHA512
84ad6c9ace8454edd5a11623f1432c25beac2c86226eaa9b6c39ec6e7bec958401b9053e2addfbaa06801522c53e3958d3f8bebea590e1df363e3b2d5951bd4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57eb2b.TMP

Filesize
88KB

MD5
4b3070d87280614762f65effa51fbf1a

SHA1
ef6d5976ead803ecef10f4710a815864473becce

SHA256
f1a0b56476f0a7fa1644d80f189c8780735cdb08b44be0676633aef86d56db16

SHA512
1960bf3550d1ee0249a7df65ba72a0e1962f8399233c36d93bd0f632b135fc80798bf2f65138ab223124c937cb7170a92979ae5d404ad34564794bf2ae51b9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
0e3019a8f52357422340adeac91a42c7

SHA1
ca588e92d68b911a65199198329c12c30b791922

SHA256
da564df42849670eca61c1eec4e437f944098b2b4364367516a7c7521d9d0a7b

SHA512
9cd66d83291efe310213c6c0126f07c4c1c4225737e1f4b5745804e426cb7e7b94cdc5d314653108170db6834f110ecb35775ee94420a1ccb0b799f70dcdd524

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
dbf995faf8f4c9421c69a41628b81022

SHA1
6c6964c8609a2ad5117ee2bb01bd4c12daae668a

SHA256
5461027c00dbffdcd8a85783f0f95ee14cf1e1e84249b704c6443ca1708be502

SHA512
ee5b90b8d02b8dd81084d9b67f9e6d8fd76ed87e911c0e39de4279dee8c44a9cf9560c033e411ba6d89f7733cb08739dea2bfd817071ef6ea420e603b424d603

Download Submit
C:\Users\Admin\AppData\Roaming\cd6256a2c3136770.bin

Filesize
12KB

MD5
c66c59111103aa2a6351bef140bcee52

SHA1
0dc4426814035cfa8eb3034bac84c56488f30661

SHA256
d5f6eda01c1e438751e0c435d025549d0b9c16ad35ce3a092f129b9d47bd69a8

SHA512
1b880b48138381465e0e3938f856cb7989cddf91f91cc606099049f23d2a98752b1e286303e341ae045cda536cc573a318e9ccc4e4a1242b1deca15134bf19f7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3f62bf9fe95b34d8dcc74e529d600fe5

SHA1
286fc1bc04372346461bc0e6afb400ea1b8a9ab2

SHA256
4710d1e5a1819c4205a3cbaaff116227f6f4ff866ef720efab5f37c2fbbc5903

SHA512
2670eaf50d7a454e09e9ad649943b799fe5368ef72ed4e1e95bc2638f900901c296ce8a56dc3eb1509ae8cb157e782fbc78969c01a3eb59f90e44574c44d513c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
50f17cacf522a7ea5e70be62109f2a9d

SHA1
6aeca0025e200f892696a90ba4413e6a55434d7f

SHA256
ab70251c953aae2e716dcbc032367aa88b43e15013ddcc0a48ad0188eadf5266

SHA512
ad4d5bab4179c2992221672b6daa6fa0c63de9c0a30e4cb182a9fea9558bae468ae6a54ca6d75c71d907553f2ac27dfe93ab62136182ca8508cdf85ea1e454e7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
58c60a2641f902d178260f0540fda525

SHA1
1b8c93de853127101108bfa8d427fcc34bcfbb15

SHA256
49fcfd972ad0984ee989b24af73f761986aa226baa4140f991ceae5b7e0cc139

SHA512
33e2d0b7e4826b988285c01125f56b6e88004845b1f2b0718b515b98dc4b53a70c6fd13b330119d27f4fb5045a0f8912f352b7dd7515e13d44ae946f263a655a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
87e017817dbad8958f6956f25f643a06

SHA1
567fb50e96a0cf8044b16f31ca35270197262281

SHA256
bc36062d889858371c7f789f8dc31883413446292ee60e28c48a7c642845a4cd

SHA512
06c562bd2e3ba850efb07730fc378415a9d5caf27960adfaf815ad51f09144cdd4f12bc47c2c9bfaab75520fe194c7ce115dd49a87df79deb0758a5f7e528297

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
3edfcb3f5e60ec4c3a2898ee7e73b3d4

SHA1
0b1ac1c5137c67898701fcc0ee7f756f8f7310c7

SHA256
005909ecb1d8867237a1c9ca40dde4cc8cc2967fabef4c4131deed028f6e8d97

SHA512
1feb22eeeebd4ae8df0612aaf727dd20634754c317f29a6f9a8efa08bc8c1f964802496da470ca27fed435b195e1205359c81d911168ed747ac6be341bb510ec

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
622d85883ca9128361668790b06fa56e

SHA1
74d328379f036c7ac2f43d0f21969be50815732b

SHA256
fe39f894ae16255204a9ace7fb6479bc0c7a46aa58f0400c966ed09a66b2eb3d

SHA512
ef1f7a43388414eb34a01a6fdd7cb6189307ba0924fe31575b68161fa1047a96fe08e6b27799f810b1b234e8d74b861e3c784a909029def147fd81355117f584

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
eeb8d4b2f30009db2fbf164ca758cd39

SHA1
3fd2aeb2f70aac9ed0a91d3f569ade5df1c417f5

SHA256
81af4563c81430754af46a4cf835acd1dc4276363404764b52b839e148a9c3d9

SHA512
5d2e536d0aa8dff4c508f06b7eff8bc6242ca41fca79edb2afba31c5b62b5bd547d4834ee89ab9f93b45fbca9abb91183f1d6bb15de70815141ecf0a07592e60

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
49fb49ce0a6da39646552d7ef771e6c2

SHA1
e4b476ed8ab6c4b6bb2b22f7a9239ff7b264a3e9

SHA256
3dbe223e6e351130fd4a4dd99def42f01791a82e67aeb8bcb1d274a5e748a94d

SHA512
62d69aed9963b697d7c27e86ec3b3a126ed633e19fd459795e4dd313113caf7800cf649577a539b7fe3f1b9c8fc29622fb423fe6e0fa3c9dc49853cbed75cef2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5ca373403cda3870f76b015799a482a1

SHA1
060cde6250a83c3cffdef6068bdbb5bba6121f4b

SHA256
41b399ec38b0532f2b198a229cc2b1c72fb3df7da4e7e23ae2038b82cf308e8d

SHA512
a0ebb93039914040db49f62ce88fb458c089cad4e39c07956c094e28f81eaf7e0dc53bb18037e50e8135612fc832b1d91d5bba786b902843844a311fd9b3fcaf

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9d160a380a6bb49de7f197e758eb6d7a

SHA1
22e2eaf8e7b1f7552345616482cbc8846d465817

SHA256
f94abb70740a0b4697db1911d1849aa6e9253b56d364e34a5e6f238fa6dfb288

SHA512
832f8a467245d4726f4adf405c308a38c3b6528392f8dca44e73cab53b52088ce626352535941aba4fea4dd2334ceb3dd2ed6f7f8bb5649887fafcf8b4463b35

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
536c5768bc05662ec9b4414eaa1d8599

SHA1
82c1460431da3b6f0da71140a7b244d608e08051

SHA256
813bf929acd98ae230fc58ceef39c1d1ad55523d8548255205e770f7db521564

SHA512
9875c8e9f32957e317a3b27d73d40a40724104beacff694de94f6f15bd76d8c53acd6ea3da92b0505b7082313190165a9e713b0ea9902d5da8563daa458b4a8e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
77e63616a3121726010a48548543699f

SHA1
57c54ebc5270040d279f81c24fc105ccf6291d9d

SHA256
3d422632d049104a7f1072dfff5d6d3649d422692f4ac4956a417f3606376d0a

SHA512
e24313e45fec179008c0e274c95b5437189ca852d3b6a92a3d632c5313d67946d7bc913d80351f313115e1595d2f6c42610c23b6e04ecb39d8072c48f5d182eb

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
a6b29ddc41db85e6c43f7f50dac7ac6b

SHA1
c7dd9183ccc78039c7db8a17b34239e336540f86

SHA256
d7a67f2fa8a9eb78688eddb7d8eb6082e3119e5e03217f37a3eb8971aa34a59a

SHA512
da0194c957eded5e1a88955dc1f98fdc927f0d5fa59c139d4b6a7bc46f57f32e113aad788141c78b94a2de6a1391d675e2c08bd43ea8dab3dc56be8c02f93d83

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
3abf0ff1a43bbb053a6a401fc748de9b

SHA1
70ffbcc5db61f952609afa87dc20edb015be644f

SHA256
4adb762461119b1606c186217d3b337e97439425e3cfdad033056da5a4cd0e35

SHA512
fb062ccaea08cd62b9d5fd9d590201059e329e3612ca9b28133b5f2c6c0bd56a390dd21f53ded06f80eccd4096ec17a09b10567973279b639bf7592eae48369e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
410fb920d16f18d2f4b2c144b00254dc

SHA1
a5c7c9e778d34d989f37795ea14e3e079f05e4ef

SHA256
de0c0fddf3adbb366c2b9c9b920e79fc539f554303643d76fba03ae552187a47

SHA512
c545b5cea33ed092585379c53c2106b2f97aff7374dd5c58eb1b939193aedca9dbcf213dff321d2476f0ac5b5dbc2814be878a26d41d6bd9a3d658c32acfb466

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
56af25eac4714656d3dc0d715da6bc0a

SHA1
e65e26250b95481db2d66112a05bc7c317414f66

SHA256
3c8c3a1f87959b3cf0040b92ed78977763d9483f554df29a4f7aa5514cadb6eb

SHA512
8ca4a7ae10340cc66e15fc7d9a1b5aafdcda887f7108bc65225149c5a6d10452db141b6aab31e7ebdfc5c6d5d0f69a413f9586ae4698ccd8fd4113885a58070c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
53edfef435beeaabb6c8defe8d39b08e

SHA1
6afa0cc15a3e81e4876bf8d8d1028244f15fc1a8

SHA256
e5815034bc368d1eba8bb264cac4005937130dbf122917e1135c800aa51e27ad

SHA512
c3c2d27313e65a7b094ab2b657197b0e10d833e8120b8b2e17d53372431e094b999c3229144675e3f71d35ec66731aa63f5ee2c9858b81577d4a99cbc207864c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f2b24e40b00d7350229179446f39dc47

SHA1
e0fe52dfa4758863cf030bbd19ff64a27ac67af7

SHA256
d41e5e3c1902b057a594bbc8979999ae1cc0131f027f5302d9d307edd80edc84

SHA512
88eefcda585094a2c83f3c6c42d19ae5c53fd2b897b4e0b46793ff82ebf1d24d2a45f40532db9ce060ef73056d3d20be3fec5f59e4b195f1d06c7c42f9bff76b

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
97f5fae611777f18606dab42818bd64c

SHA1
0db717df85222c60c62f31e6f3d6fc605172c698

SHA256
822d26a4c6d5965b18f6078ed227143e50b54dea622d71d29f6d9c6a2bf2f8e2

SHA512
84a680f89897c6a92258dd95abe278f17f34a26ab8b2384a3f34a3f3c53df8158c8224d8956f7b8e472a288eb37b36ab586f7f61f420c614e4241ebee243a8a5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
9769c95e12915e74acfedfcb5aae126f

SHA1
b2a6466fcee2eed2c2838033a88448195271f703

SHA256
7a6d8f185666076aa80a9ea3f7754fb5eca01a17d363699bde79435487b343f9

SHA512
dcd877f98006ae25e2e07fac48e685950499f992bbc47b343b69204bc5460948ac639154482586128d8c9c3f0b4fdaba65baf1cdc93cd737fb4bbbf275b331ef

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
01b31e4eb05c6425e80033903b8c51ac

SHA1
573d0f66f5d8017761c19440b4d51a00a9c1ec0c

SHA256
ef303d0cb538e12025b27375653423ed14455c76cbebc625f6bbe1724a2cd667

SHA512
c6224cf083b16f934eee1b84940c45403f07e9526c3c5373ef88ba843242e78ade9a4a26d02deaf9de98e5364863241f8c8b5fe9f49b0a6e221e16d9b28b318a

Download Submit
memory/636-166-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/636-39-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/636-22-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/636-24-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/736-260-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1268-675-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1268-216-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1612-301-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1612-755-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1860-0-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1860-9-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1860-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1860-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1860-35-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1984-339-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1984-170-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2100-203-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2100-586-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2100-594-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2256-748-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2256-276-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2452-59-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2452-68-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2452-71-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2452-65-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2452-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2796-330-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2796-167-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3036-192-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3256-73-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3256-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3256-80-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3256-74-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3468-130-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3468-298-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3944-54-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3944-55-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3944-46-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3960-93-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3960-259-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3960-91-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3960-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4076-117-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4076-104-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4076-129-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4176-227-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4176-747-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4448-278-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4448-752-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4844-155-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4844-312-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4928-12-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4928-18-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4928-21-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4928-151-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5032-261-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5032-751-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5616-321-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5616-758-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5740-331-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/5740-759-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/5888-764-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5888-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download