cc4c406691a72c055f2caf8d55ed3171b8d53745f04ef3b05ca02adccd0ab02c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
Size

5.5MB
MD5

b9e9480d98c66d5dc6ab961ecd984d46
SHA1

e2f55ce879c64ca62d1e3a2a76ac3adc72c0372a
SHA256

cc4c406691a72c055f2caf8d55ed3171b8d53745f04ef3b05ca02adccd0ab02c
SHA512

be3cd9dcc30cf2cb733f717a3344fbe0b3355af9dd4dec0fd8ec54422c43b7d0f0fe98c3a06fde1f2b1e1a6f5f1637b339047775ec030d17d274a41f1f5a757d
SSDEEP

49152:OEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfe:UAI5pAdVJn9tbnR1VgBVmZUtq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4064	alg.exe
2824	DiagnosticsHub.StandardCollector.Service.exe
712	fxssvc.exe
4532	elevation_service.exe
3888	elevation_service.exe
5056	maintenanceservice.exe
1240	msdtc.exe
1444	OSE.EXE
4308	PerceptionSimulationService.exe
696	perfhost.exe
1452	locator.exe
4976	SensorDataService.exe
4052	snmptrap.exe
2904	spectrum.exe
1536	ssh-agent.exe
2876	TieringEngineService.exe
1820	AgentService.exe
5176	vds.exe
5280	vssvc.exe
5380	wbengine.exe
5500	WmiApSrv.exe
5624	SearchIndexer.exe
5848	chrmstp.exe
6056	chrmstp.exe
5004	chrmstp.exe
5224	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c53d6f8abb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{3B9828FA-6A18-4F1B-A570-1997BB7D5CB0}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2d6c3883fb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba3504893fb8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c75a2883fb8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000daec79883fb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5aa19893fb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096c3b0883fb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b2110893fb8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c3242893fb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2040	chrome.exe
2040	chrome.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
3592	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
2040	chrome.exe
2040	chrome.exe
1548	chrome.exe
1548	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1748	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
Token: SeAuditPrivilege	712	fxssvc.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeRestorePrivilege	2876	TieringEngineService.exe
Token: SeManageVolumePrivilege	2876	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1820	AgentService.exe
Token: SeBackupPrivilege	5280	vssvc.exe
Token: SeRestorePrivilege	5280	vssvc.exe
Token: SeAuditPrivilege	5280	vssvc.exe
Token: SeBackupPrivilege	5380	wbengine.exe
Token: SeRestorePrivilege	5380	wbengine.exe
Token: SeSecurityPrivilege	5380	wbengine.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: 33	5624	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5624	SearchIndexer.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
5004	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 3592	1748	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe	83
PID 1748 wrote to memory of 3592	1748	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe	83
PID 1748 wrote to memory of 2040	1748	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe	84
PID 1748 wrote to memory of 2040	1748	2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe	84
PID 2040 wrote to memory of 548	2040	chrome.exe	85
PID 2040 wrote to memory of 548	2040	chrome.exe	85
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4932	2040	chrome.exe	96
PID 2040 wrote to memory of 4460	2040	chrome.exe	97
PID 2040 wrote to memory of 4460	2040	chrome.exe	97
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98
PID 2040 wrote to memory of 1480	2040	chrome.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-06_b9e9480d98c66d5dc6ab961ecd984d46_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2ec,0x2dc,0x2f0,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff1b97ab58,0x7fff1b97ab68,0x7fff1b97ab78
    3⤵
    PID:548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=2040,i,13235549785832972652,16592364967946414344,131072 /prefetch:2
    3⤵
    PID:4932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=2040,i,13235549785832972652,16592364967946414344,131072 /prefetch:8
    3⤵
    PID:4460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=2040,i,13235549785832972652,16592364967946414344,131072 /prefetch:8
    3⤵
    PID:1480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=2040,i,13235549785832972652,16592364967946414344,131072 /prefetch:1
    3⤵
    PID:1412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=2040,i,13235549785832972652,16592364967946414344,131072 /prefetch:1
    3⤵
    PID:3416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4340 --field-trial-handle=2040,i,13235549785832972652,16592364967946414344,131072 /prefetch:1
    3⤵
    PID:1208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3964 --field-trial-handle=2040,i,13235549785832972652,16592364967946414344,131072 /prefetch:8
    3⤵
    PID:1912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=2040,i,13235549785832972652,16592364967946414344,131072 /prefetch:8
    3⤵
    PID:4352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4760 --field-trial-handle=2040,i,13235549785832972652,16592364967946414344,131072 /prefetch:8
    3⤵
    PID:824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=2040,i,13235549785832972652,16592364967946414344,131072 /prefetch:8
    3⤵
    PID:1968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4708 --field-trial-handle=2040,i,13235549785832972652,16592364967946414344,131072 /prefetch:8
    3⤵
    PID:6040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=2040,i,13235549785832972652,16592364967946414344,131072 /prefetch:8
    3⤵
    PID:4260
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5848
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x2a0,0x298,0x24c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6056
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5004
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=2040,i,13235549785832972652,16592364967946414344,131072 /prefetch:8
    3⤵
    PID:5728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=2040,i,13235549785832972652,16592364967946414344,131072 /prefetch:8
    3⤵
    PID:6080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=2040,i,13235549785832972652,16592364967946414344,131072 /prefetch:8
    3⤵
    PID:4416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4116 --field-trial-handle=2040,i,13235549785832972652,16592364967946414344,131072 /prefetch:8
    3⤵
    PID:1876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4996 --field-trial-handle=2040,i,13235549785832972652,16592364967946414344,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1548

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4064

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4992

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4532

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3888

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5056

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1240

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:696

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1452

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4976

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2904

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1720

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5176

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5280

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5380

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5500

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5624
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5796
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5868

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d5017a065feeb96c0c0bb4833568efb3

SHA1
19d3b92b2304633f35d80b099cc3c54d8a8d93b9

SHA256
725d81960cc365c1f679fb4447aa9f6067c77512a8654254b457c92e9cbc4e35

SHA512
c09ea55a95974d8d0b441cded67309c989cb8fdc0a7c1e9b8b8c8b810a26a960c01627014338b612bc1ec267ce736441310804c8feb4ac26aa42c6cbe8b08409

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
3966fcec55edb1373fcb3399b3127b42

SHA1
ffe38fd12a01bac8e31981d6ca2599e32698ca1b

SHA256
4d569c5341fcf656a00ef3d7534e54f72af25b6d485fe24df8b6b3bb19325ea9

SHA512
5118b90f0b8ff4abe78502a33cd783f758df291b556bffaaf261d797c5443d6f6da70f423ce8174968d943449cc2b3f34660c7f4f975bfdb1884c4a1e75c51cc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
54bf2909749b77d0578e17863b5a14db

SHA1
dbe12d9cd8e3250ab2813e2aae33476779a4f1cd

SHA256
253a2bbb2e6ad3e71fbb5a01114d2e4e54f0e47f302945685197c241ad0ac2b8

SHA512
96474ac9c8819163d82dc1f106f42ca8551e6efe2b468ca568b7bbd0cbdf84a439b94532b8d4a31d317074d55e64c9d6617eac83604a9ea18674b19436cd4cfd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
041683e5358af1ca81a0746e6323e844

SHA1
1f88989710ddb44fc4231700583b562637fd2c81

SHA256
0322e227c085b6cb27096dc63f622875e41e5b0ffffbfed3bb84ca1cad05afd4

SHA512
70e990981a975e1102b1aefaf807dcbab2be2ebf198b630bf34f4e74c96d2d75ba08d3a818cc8c9078a6d4cf616f09e463280336c6ae458d6a4dfda3a05ee703

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
45442774a5fa16c112967a0fe4077450

SHA1
c281e58c88dbf289a9f48078410cd7d636718765

SHA256
9000caa3fc9dbdd655190941ce3efa7427918fd8505a5ef10165562b346875dc

SHA512
3bd38427f68380297e4efeaf0fde14d8fbd0087bdda28834ad9314435b4185f1298647d84b30f426617365e8e6137c7868229d2a859c37faa947d2ec5b7ea338

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6db908816360db3fa6b9bba345089a85

SHA1
0ac114ce906b840ce799394040488bc556648148

SHA256
69e030e70400f0059aac8581dc0ce2b7b24230480e3e3e6bf9c2ed876571608f

SHA512
65591c58962c199f969b222ab9690f3f133736dfef4ed95cfeae45fa3525d2e1fef8d6c5729b1ac59cfbce237f95fb4f574af5257c14b6744ec1028356fc1eec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b74a71b1d9bfef0b8742c72aea69e314

SHA1
05a9cc127fe3cba0dcc6e87b16a36ed759cf7b3f

SHA256
aecff1677227fd1625ad1360504cdabede2f557884a3ba7648a33b433cdf6c0c

SHA512
5588719fd9b938d86c5fda8142d670cefb19a40d0bff7dcb4b7a9dde26d2269aa05b96d8bf574614323a5335d5e043603edd5570a1ea34c60c4ca62d90270aa3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e3b8408386235509794e1677cf53f6d4

SHA1
5a0c027194dfe7e92f53a86c787ca34538738eed

SHA256
087bb5a6e735c3e8e469c01a81f6fc6f05035ac73d55f8594e2bac46bab57407

SHA512
49903f8ce56f2bdca9cd1f55a2c37e099123e262db6511e9c61c8e7aebb7e3ef60a1cfce1e386ba6481c9b6120b24e416432f118e06b8cec66cccfe9b33e1f3e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a105ff19f3cf0eae86f7fa71ef65ae0f

SHA1
7886b8c7e24df2f364ec153830403b63c11dfecb

SHA256
91cb7f9b9fc29384f73d02053761a85b03862d810f0c978f16dca777966e349d

SHA512
efe8072f3c35d79893ff59b1dcd5e25c44f4c2e112ee8ab094f0ab37b0bce30dc00cf719c4de767dbcbccbae404e074ee907991c07f14cc536f65ca0e92f0cc1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f5b8a28bc395f4925dee361ce36792a5

SHA1
55e6104d86939e33c7fa24cc2ab3162caa0b9562

SHA256
a9c646e9f67dd80386e53236dde600780ec6baa646c4383becc4bdcdccd588f9

SHA512
3981113fa25a2799e85ac575185c38b58093190590ca72cc3e7531f5c8894fc944bc36b2c71530f3306312fe27a4d47a61520156a9bccbed32d4316a79bf16ef

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2ac7d06374d76e8278bddc1af1d5eb1d

SHA1
6074eb633ff3c3531b269c476452704cef16dc80

SHA256
7d33dad7df6dba717bbe23c0f9268757a8fb570d351e68303239ae872fb56e04

SHA512
0925ca5bc27754af1a383fff69a2c5571b785f17048e744909620c9d769b4105d6fb6334892acfa24872ed39f9470408638d909a67d60cd8bf61bd0de57fe279

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\3e10ef81-29b3-44b6-af5c-a71936db859a.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6f4b1d897aaf53be6ed1ad11351d6fc2

SHA1
d5b70a55a38604b60bc4834251cedeed777a316f

SHA256
1912b6e8fd300ac18ed29414a97a49fd651278516af4c7e501f6b75d28e5ce1f

SHA512
19ad8aae6d6d3eadca5e6d3b5dbd4678779ac718279bcd624fedda439e9201b83ca2ccb225f3d7ec98d7bb2adc8390cbc3519d3454c5a2ecd62f6e0a93e173f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
772424160a740ab46f10d75ee3f72e87

SHA1
ce1d08ca4145f6a14ce3727642af5a997f73d1e5

SHA256
00ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84

SHA512
920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1cc91fbd3cd06ec259a8ca0beede3a99

SHA1
942d9cb4e737fbd7fe683e03494a9a48b601ac5a

SHA256
003c1e06b6e3b8ac50cdcd8905f415b5c1d068534a19ed55643fc55008bd2d9e

SHA512
7a5bb3e26bdd2e76a7640a31fc51d45639d48a85bbc681dc69970f195a10d1f2ec3ad66892edc53486e89293914fbfe9b4f8b15de7ef86982ed97fa384ddc7b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
79bbdf3ff34995d32e3b1b1a0174e494

SHA1
749ce6f59bfbebc4a05aacc39a58a3ab3f0c6570

SHA256
dfecf31e6ab66032b95718b701815a5e42f48deba3e95f837e6fa63f7fd1d7a6

SHA512
098008503b16ec33ba7a3c64391c61f4e54a781eca34e450d8469e44a986a755f9daaf5bfe1d86e723ed1adc4e6186e337129bc67b08b08706fefddd4a35e972

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c8306d155b80044587ad8f4e6df669b9

SHA1
7b34fa6f6aeb38cf94a5ad0dfce10d88230c79ed

SHA256
a2010d9da78b6720c4bc4d2118c600bc92007545858f49257e1dc2e8e3e128cd

SHA512
51e7d9649927dbbcd3e7c89ee2acb336cad1788fa2b609a96381a46579763075a2bdcfc3473ffda137ec55090f86e18a2b0e28944eef2d6420b00a8abbfa75a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576ff0.TMP

Filesize
2KB

MD5
62ef0b2d931dee49ed513961ece66048

SHA1
75ab8dd2d029abdc0701a541bf3076082b6e0c26

SHA256
2363d110b62787968a21ae43497d60d50ad3e2a713303aa36834d810f996344a

SHA512
ab8379f396349faf8b51cd6ef4cb31c2d16da749b9902654227175423872fa6d81447d28926892602644a35b30f8bcb9412ee90b0eea93108cf6eb1b8dfbea94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
2926b60d324bbdca095ece463001c92e

SHA1
f0ae7c157c73f87eacd8489bfe083b70f3b375c3

SHA256
2d70492bdcf19b81dfd53dc79383a3a0023eef797ad60988289226d219a7eabe

SHA512
b44fa08c6ebb97efbae689d5b2c77ff3824ba102874a23966010314bae587b53b675b9f7626605187baff3c6ce291e3ee8e1db587beecb8617a50a977e9d3f14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
160e558afd65346190e5af68411710a9

SHA1
232eb53aac21e506e1d1cbb3ae95cbff0429977b

SHA256
63b1bc1229fcefd9e93d39e0f0fa09c6ab403c06f0b1d4e91008b406af9eb0a9

SHA512
b935d1e38eec7944bc566e58f0c96eb3e8280f6f638891043b384a08b7853a14d2a148d4e3cbd62b16f19fac2139d1328eb3840b81a253ef57365b473a34a17f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
265KB

MD5
b0dd31b386f18951e2fd32181283fa23

SHA1
9db8c4c2a39cf589e06bfe88c42feb553d610281

SHA256
8cad0d2909248f369778461d8afd00dba0624e5bcb099794154e91cf615f70ff

SHA512
9a43082879ab91dfd5b77086297c4fe958f4fc50046b4f10029237f774c203d0a60ee3c5c28f7676bb2ed0038ef7f827adfd61563250123552f937b8d33a3769

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
1e59b45898c3f1e94023e7b745d20bec

SHA1
4d7780ed7600b331cc05af8fcd0cf49eaf6fa94c

SHA256
5425f3c24b52c83cd9fb6a6025f893b92d0ec638500b497af9deec9b2f24d532

SHA512
d2273bfa8dd875442dc0960f05763465420c2a9f5aa36d469336078e22accc8c75c6be72c6e1460efb0c74c161e4ecf926394f59f8948037f532878e203e5e2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
265KB

MD5
f813eabf3909daf6b351f5238e762936

SHA1
ce5640edfff2a11a2a2d26ed727f8a0eea786082

SHA256
b8dffc539e52426efb4719c460b947f690ed5ab5bbed6a6a0b086653454a74f9

SHA512
8d412ebbe45bfc358b3c31d9a7b1e82131727e0df5879bef0a6697c3ea084fd6f5d7108ffd36cef23116713807918f9439b2530c6fa81dbfb25e1334612867e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
d26b4006fc5a7f426e0cae81c0f8cf2f

SHA1
99f3eda63f6313b652bc9490eb9986b1088f306f

SHA256
e8cacad8b63f999f634fe105763dd9b0d02ced9f93e59f57b68a9caf431e5ded

SHA512
555fed9e8cc745d99176c6044702471c59be1c701f6050b241a111412ff189b8a336a0cac4ad627dae7bc1a00723a849bd8ffe965d3fe8cda5cb2800a7bde325

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e54f.TMP

Filesize
88KB

MD5
ec3065a838c9d42519786c7c2e7d6bdd

SHA1
9f6ffcf3d422774570d8036082267a390bcfb27a

SHA256
38b8d2ec3b311cc889f649ab69558670f85bc3712d4a6a1643be7e7ee965b530

SHA512
d517262eff711d309fdf7d82f83b70286c6f8f3fc4d6fe080228544e8744e33eb4d8eaf49e2703d4848189d06c881d13dd74c32994baf492318de45c454ba09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
69e20c9845146f1ae0a5b46564ab7849

SHA1
34fa3e99755f2022d9813abe7744f272f28e7113

SHA256
076612ec0f29043e55c79e3cd31203e3f67bd6e491d3afd03714c8bbecbc42bd

SHA512
5c8b8bd85b3cc6ba5fa8bbf1aa5a8a25bda1942ab30e93ae8daffca2b857894d63c81a29c4e38e0ac4aeb97d85dc814d4d319da9fa310dff30ced364089a2029

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
bbf126635c190e6cabca103ab179de30

SHA1
e150baf0cd04ae5f6c7c413a039a65eeada8b1a3

SHA256
83af1cb70154e986b2883606892e6d0e88ad8398e55ce9fcb823ee6a3d3bbb64

SHA512
87831137accb92576d20770b0acc7158992350dc556bb2f511d0483a7cf3c8702fdb6404615f7eaca7114fb84bb4573268bc0bcde4888e557f88546fb5353cd4

Download Submit
C:\Users\Admin\AppData\Roaming\c53d6f8abb5459c0.bin

Filesize
12KB

MD5
6a0355698734e869129e351991617486

SHA1
535971495738b89d1bfb39a66497b426f904e045

SHA256
d8d39b739d5d29200b9958fc9643314a81f39b941f89bd3961c8a8535b28806e

SHA512
2d25b4e9cca8780f10dacce766bdd78d978f8ae3c015bbce2a77c7bf475c22217b336d0d1f2894319b013817bedfc664e87a77d928c56d2c3684eba17024306c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
895c07a214f3d497fd164a89a0d51d2d

SHA1
bec19fab5bcec70f3f6b5fc99af6b76de8592fb5

SHA256
39b6993ef2eb95cc9e59e49fcb70d92ba998b6ece7c6291311753d92d17725a7

SHA512
58c83b0391cdcc4ac32bfed9c766e5041d39faa1d4206cb1ebfd2a73327b2191f91563d6523b532131342112b49b70397fab7bf66b308d1b1c6d4ec488f4f454

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8ef02ca3445e352ccb8439ced81824a2

SHA1
e21a879f0870af288408343d8edb9e125087c96a

SHA256
bf602ff56258e87f6c05a36d8c29e85ff253540e21577f121fd45c2b71ef0eb2

SHA512
11016c5a0cc72a8eabb2ac6bcfe96061a65e3bb382d5f6c28a5ae5fb63ce321960eb2a238400aa3d39d38e09aed4be4fdd53b08e1eb5e3ac458c3c2cf8455538

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4e8cbc2de2f76ad7b99f7a1afce8acc4

SHA1
0caf5d65d80c52b22bf9a229fd018235e498bad3

SHA256
8b9d1d950d18319694868a6874e12de4a34348b290c0496d134eddf4bb433297

SHA512
aeb559a933945b183661ca2b266ea4e690a075e244de3431be2417a82833e8577ac00406176c6b64d17b91caeefa0115d2a339f8df9cc3b8f072554473aa2add

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8b3a73404e2818053c4fabd31c7510a8

SHA1
0cbd22d593daec23ce735aae9d4afbc7b607c4bd

SHA256
199533ab4255118accaeb0e5c4bf5f8d3033943073586789802494fa2759da32

SHA512
7258ca601d6048a65c8108a365d201c85d8870c545f97f6b67f5556d086ebb47349fdf08be1a52001b8dff5ade7b861a06068c453759f5ccbc43f302d48193ff

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
0d01cae1fd0736b83eb3d933079dec0d

SHA1
a730ba919d8e6db4c11b1fd3bdac9cf388ad9873

SHA256
0a6945e35d62f62b9194f2ae3879629d7b3fdc5049abcf22bd4d32adc5d79ed1

SHA512
9ed14da077f305ea33db0d2169e5d2f0c926cee1c479f63ebba4bcf82e510770a57aa3955209eb37a0efcd4de2e8b7a99ca5789ff58c4e3734392fe09febee78

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
5ba7838bb4ec369df5451a9e3f564ed2

SHA1
f3900aff63c827aef4b0f7dd9043c6353e4759a7

SHA256
7888f307c92d6d486a83e308d4d9c695f773c78d8397490087dc4e82ae5ed802

SHA512
bee612071e6e80b6f69f50bd026176d2e8ef50b016f5addec933c6d03aa837a9cd22b4c55f828b7ec47481282686016604798295fb8f53c930a4f4821c31498a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
17f2b3983986cea953c4fb1e80aa4c5a

SHA1
fb139fbd27782cbb419dbbe117baa8e67f374d68

SHA256
63e78ee4ea82b6aebc1df08734af59e752372950ee10c84fc14e97c59c69cfdb

SHA512
c69d0ee0aedc21eb37daeda82071152810fac832356c770b054240927ead20a26ccfcb030e1f8d7f622502959ea7f7eb13cd19766f02a0706036c2e0f3323e20

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1b31d969b337664a1b9728dcaa9530c3

SHA1
8f6b9cadd67b01552c4df43afc55c8d2a0ce8046

SHA256
76d86faa6ee1035174f1d65547f5758b7b8b7d65531079ededa33c1a190e757b

SHA512
544af2d1a1f366dc451587057e88ec67cad7968fff0467303ca9135bce39258e8416369abad6e40a842dcb812d218d4b8c98f8637fdfd7d247555a4628897da5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c24047c7b1e79859dfa44542ce80d54d

SHA1
ced730385cf0945b60bc08abeee473e6bc3a0a82

SHA256
5dc252e5c67fae68cbe5f2342ea7940eeeb2e88bba002259f1e99be27db361a4

SHA512
9f775c3718b1a734681a88a6e15cdf950c21dd19d80fba3b3d0fed96182d0da17322899f8b7bf8e0aa1fded7878df745547a84e61213d197ce09e397c853d8fa

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7aa531bdafda833891fcabaa73079330

SHA1
14ba1c7fc2fd64347d70a0dbefbe957b3fc2c629

SHA256
850b73a3fbcfb69e5fc13a9b7e4c0c382170635586d887e461494d90d1092be6

SHA512
df395f7cfc8a2bf86644f8844c24151d457979caa30e627da711d319161ec1bf1c42ba300a7283637096f17b2019b0e14224fc8096ead56ce3798789522b51e7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3ee4e2e410b6f5d7e2f351bf607480d9

SHA1
e9bf5cb3c57684ecc0a69c89b8789cdb7c1a389d

SHA256
eedb94549294a8cf2cdc34948fba982c945203efbec5fc07c59f3e822a4be0c6

SHA512
b9a8178064e3d993798a87d8f1489d8651f164176ccea92a0315d7a3e2fe2bffbbd0e2dac9573d0381727df44d9af205a7747f1542f7f343d58c0a2b5a7bddc4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fe0619ece4428077dc8db06dcb4ba37b

SHA1
5f7fb00e8cf828a5e80de9698ec8b1c0bfdeae3d

SHA256
e5471ed208c76936d4f24185795eeb79bf09665c32bb5263aaf805b857588dff

SHA512
6aff369aca22c1bdb2e9a4415580d6db7e535ecae207784f7e1ac453e5dc7839b4d7d65d42d7a2f6983578dcc5df93be0c3de89329f5e7f952e6682ceace0cc4

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b760b3dcdaaa62475c3a782920d93cba

SHA1
ec651044b064b339f942faa3f11381b3c91fff0f

SHA256
d1429de7a25a20aa1f2e348ac46dfb10f4abbb4f43c64308210ab2d7504700f0

SHA512
40df03e78aeef1de836cb906e1e562dfe694ded10cdba0fe15969e9ae323a4bb183e65cb8ea88e0c592efd12f8a6d800db20bfc0c7f137d9367135a23c58e434

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
6e5ef8c1a5e3d4d9c351b5b4ed253281

SHA1
9ce3a679998fd37a3fa64f568aa7951c2b179ee5

SHA256
cc764b2e125ae567cd738c0dff2d781d3a429b5e7a31be5351a4a09692b25531

SHA512
c6fbc75bcdc82ef124ab92e18b70c5d79eb67ee197fdcf89b81454e4c10e078b6e9fec7519635982a4e426cf436f7f1c08bb2b516de4b00d3936642ad22631f8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
179502cf4f98e64fe2b498093c784dac

SHA1
13846e3563e787a3e08993ee998d447a92d9e9e0

SHA256
3e85dcbbd49d249991bde9af5d07b9e0f1adb34a983cec7a2802e7ebb5612bc6

SHA512
29d2c82858cf3790481ea410e4f7e995d6a09f69a33d9f3c9b70d73d4d8dc7b5f96c97c587d90dc04c9341913901bdca265929670aeb9bb1ff751a3113049cd3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6968144673e65b0f3cc2540b5c97d1fb

SHA1
728abc13dda1ddd6c530eb4419e59e5d98bc9f08

SHA256
dec54b4f1e45f8c968d0d47b194deffedc572fd081b3dbb629c3f025815e63bb

SHA512
2a4a0654d776aa6293dc18750c863d2d8bcf3b79f8fa0fa2a6bee437ce72212a8845f48cc39d3f96307b7a9e577118c091319be04acb79d13a0b8afe46ebbd8c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a2bc09bab7cfcc2c68c95bf231a13d82

SHA1
1851d22f5a8f87d50ca4e851d91a9fbaa45e26df

SHA256
467623432b1d60577de44f7a0396119838007ba0f92cd5f75ea3b00f792819da

SHA512
f92033f9327bd994aba8da1029d1f8390eda0062a12803104f87b9be284ece02b46023ec476f5965d305663c9f8152763e8e3f7e2fc04f0f2c8fae99e24800fd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fcfcd3d1018f1f1e8451e3cc9f70a123

SHA1
3599c9c432332710da23a2c04218c8f3ac0dd1df

SHA256
ef9f679aa7e2df47c4499a34c2cd23e92fda3be1290b87c3e02ce9697e5fd882

SHA512
5dbc2b822239df2795213dda09d56c49ec034793f823a0941964429682ebb55c44d37e1bd4ac97f3f81eafffa6f8ee0d227d40874ac12e13828a0a7b2321db37

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
257036a0fb3d2768f2801e5d32b9ce30

SHA1
0634d123cc54fe889f179f59136e47357ff7f7d3

SHA256
fe6257986f35787b1ef9628e36a811d3484fff46899b61381086da82e363c462

SHA512
381a451ab3b3c97eb3546554811f0784e5341a7f668b9ceb41dc077d34ebd26fbb29b2e0ab21b2a52b8637b3998943c14ce60380b8525378d37ccdceb0f0e5a1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fbd981de9d54bf3a9116e19ed17f4a7b

SHA1
95a9c48115599e0fba856d0d11a799536ec7090e

SHA256
cf5e45fbac88d7a52e6bbe672edd8eeb4a704c876c57c7aab5d287947ada281b

SHA512
05f711665999f4553059b2630f8be4eaee871bf3e599d7de5ed3e95c8d90c1e871342328b1d8f8973f79940126222f5220dbc8096e29097de096e89c7ba69dd0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
87a38981aac850799b3ec1666221b4f9

SHA1
f0b220d3848abb3111320ffaafc742e32a5483be

SHA256
18c90df352dd618b4503dd96e53dcb78a9bad6af3fdeaec0b80587c7adcb2087

SHA512
8e3392fb214930f9d765e4b5ff96a8eb4c3ab99e3def3c9798e5ebe9330a1195709c0c73e240061e5ac3c05d90df006993acf9da79d986cedbf7a32d986283d4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
863c6afdf9736a0350dae57c357fec8d

SHA1
da11602ab12ebd2b1323cbf4ba577389c31b6fb0

SHA256
66adf85eb6b83e8d86063eea04bf576669b1ae1b5188ce416f9f008683537147

SHA512
674bed55afe3852157e2c4d04a534a462d35506a381224a9418a076c106c10a6fb0a7ec22ae53b530603078384bbdc06826dd8246d7414654f9ce74014831ca4

Download Submit
memory/696-172-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/696-311-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/712-62-0x0000000000E00000-0x0000000000E60000-memory.dmp

Filesize
384KB

Download
memory/712-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/712-56-0x0000000000E00000-0x0000000000E60000-memory.dmp

Filesize
384KB

Download
memory/712-76-0x0000000000E00000-0x0000000000E60000-memory.dmp

Filesize
384KB

Download
memory/712-78-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1240-119-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1444-280-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1444-121-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1452-189-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1536-240-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1536-541-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1748-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1748-0-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1748-6-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1748-20-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1748-28-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1820-272-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1820-278-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2824-52-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2824-44-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2824-53-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2876-555-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2876-261-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2904-227-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2904-536-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3592-171-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3592-11-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/3592-17-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/3592-23-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3888-90-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3888-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3888-88-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3888-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4052-522-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4052-216-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4064-30-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4064-188-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4064-38-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4064-39-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4308-163-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4532-67-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4532-73-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4532-178-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4532-75-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4976-327-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4976-683-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4976-198-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5004-592-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5004-552-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5056-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5056-93-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5056-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5176-740-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5176-284-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5224-765-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5224-564-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5280-746-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5280-292-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5380-753-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5380-313-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5500-754-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5500-323-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5624-757-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5624-328-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5848-605-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5848-525-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6056-539-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6056-760-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download