31e575f7d4d9e1b36443633fddea6c445ba0f9dc4afd804803e5a909cb0a6bf2

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
Size

5.5MB
MD5

bfb4f3f28c867fb513de0493ef62a7c9
SHA1

89bb99cf8bcf1f88420bb1a5cc4ff78c24da36d4
SHA256

31e575f7d4d9e1b36443633fddea6c445ba0f9dc4afd804803e5a909cb0a6bf2
SHA512

3bde20888b293d0dc9f65980ebc038853cb4249cd077e659f6c6f0b11c599db45e078a4f79d189a92ea6e24473316ce73de18278bd9f297a861db8a4d8312039
SSDEEP

49152:DEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfx:fAI5pAdVJn9tbnR1VgBVm765tUV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3144	alg.exe
2812	DiagnosticsHub.StandardCollector.Service.exe
3780	fxssvc.exe
2500	elevation_service.exe
4884	elevation_service.exe
1724	maintenanceservice.exe
3176	msdtc.exe
1992	OSE.EXE
2676	PerceptionSimulationService.exe
2412	perfhost.exe
4900	locator.exe
1116	SensorDataService.exe
1420	snmptrap.exe
1076	spectrum.exe
1856	ssh-agent.exe
4548	TieringEngineService.exe
4280	AgentService.exe
1948	vds.exe
4796	vssvc.exe
392	wbengine.exe
3980	WmiApSrv.exe
3240	SearchIndexer.exe
5872	chrmstp.exe
5948	chrmstp.exe
6040	chrmstp.exe
4800	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e94bcc62bb5459c0.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090bf270731b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c00ace0531b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce05990731b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e1ec20531b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003948aa0531b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d476bc0631b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133622759140907486"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ee5a70531b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d979f0d31b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a02f620731b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1468	chrome.exe
1468	chrome.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
3224	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
1468	chrome.exe
1468	chrome.exe
2812	DiagnosticsHub.StandardCollector.Service.exe
2812	DiagnosticsHub.StandardCollector.Service.exe
2812	DiagnosticsHub.StandardCollector.Service.exe
2812	DiagnosticsHub.StandardCollector.Service.exe
2812	DiagnosticsHub.StandardCollector.Service.exe
2812	DiagnosticsHub.StandardCollector.Service.exe
2812	DiagnosticsHub.StandardCollector.Service.exe
5332	chrome.exe
5332	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	552	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
Token: SeAuditPrivilege	3780	fxssvc.exe
Token: SeRestorePrivilege	4548	TieringEngineService.exe
Token: SeManageVolumePrivilege	4548	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4280	AgentService.exe
Token: SeBackupPrivilege	4796	vssvc.exe
Token: SeRestorePrivilege	4796	vssvc.exe
Token: SeAuditPrivilege	4796	vssvc.exe
Token: SeBackupPrivilege	392	wbengine.exe
Token: SeRestorePrivilege	392	wbengine.exe
Token: SeSecurityPrivilege	392	wbengine.exe
Token: 33	3240	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3240	SearchIndexer.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
6040	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 3224	552	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe	82
PID 552 wrote to memory of 3224	552	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe	82
PID 552 wrote to memory of 1468	552	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe	84
PID 552 wrote to memory of 1468	552	2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe	84
PID 1468 wrote to memory of 3504	1468	chrome.exe	86
PID 1468 wrote to memory of 3504	1468	chrome.exe	86
PID 3240 wrote to memory of 1036	3240	SearchIndexer.exe	111
PID 3240 wrote to memory of 1036	3240	SearchIndexer.exe	111
PID 3240 wrote to memory of 3708	3240	SearchIndexer.exe	112
PID 3240 wrote to memory of 3708	3240	SearchIndexer.exe	112
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 4624	1468	chrome.exe	113
PID 1468 wrote to memory of 2032	1468	chrome.exe	114
PID 1468 wrote to memory of 2032	1468	chrome.exe	114
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115
PID 1468 wrote to memory of 3948	1468	chrome.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\AppData\Local\Temp\2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-07_bfb4f3f28c867fb513de0493ef62a7c9_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2e4,0x2e8,0x2e0,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa4b0ab58,0x7ffaa4b0ab68,0x7ffaa4b0ab78
    3⤵
    PID:3504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1956,i,11952282766505449712,6038453515415245671,131072 /prefetch:2
    3⤵
    PID:4624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1956,i,11952282766505449712,6038453515415245671,131072 /prefetch:8
    3⤵
    PID:2032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1956,i,11952282766505449712,6038453515415245671,131072 /prefetch:8
    3⤵
    PID:3948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1956,i,11952282766505449712,6038453515415245671,131072 /prefetch:1
    3⤵
    PID:1040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1956,i,11952282766505449712,6038453515415245671,131072 /prefetch:1
    3⤵
    PID:316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4392 --field-trial-handle=1956,i,11952282766505449712,6038453515415245671,131072 /prefetch:1
    3⤵
    PID:3496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1956,i,11952282766505449712,6038453515415245671,131072 /prefetch:8
    3⤵
    PID:4332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1956,i,11952282766505449712,6038453515415245671,131072 /prefetch:8
    3⤵
    PID:3168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4900 --field-trial-handle=1956,i,11952282766505449712,6038453515415245671,131072 /prefetch:8
    3⤵
    PID:5696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1956,i,11952282766505449712,6038453515415245671,131072 /prefetch:8
    3⤵
    PID:5748
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5872
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5948
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6040
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x74,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:4800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1956,i,11952282766505449712,6038453515415245671,131072 /prefetch:8
    3⤵
    PID:6048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1956,i,11952282766505449712,6038453515415245671,131072 /prefetch:8
    3⤵
    PID:5644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1956,i,11952282766505449712,6038453515415245671,131072 /prefetch:8
    3⤵
    PID:4576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 --field-trial-handle=1956,i,11952282766505449712,6038453515415245671,131072 /prefetch:8
    3⤵
    PID:5464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4284 --field-trial-handle=1956,i,11952282766505449712,6038453515415245671,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5332

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4496

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2500

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4884

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1724

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3176

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1992

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2676

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1116

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1420

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1076

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3196

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1036
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
54f1395712795894292e9bc61f79bc58

SHA1
f0dd3f9dbd3e25d2993f83a4687c6754c74209ed

SHA256
383e0de8c1cd94721fab7f0a24dbd68bdab0d5e51373afd4352fe877a182c6f8

SHA512
90413d63634a8be43817c7ca374aadb267004f5dcd9c82734c8eeffb51b8c1bb44b77614059105954e33b99409ab732ff9f04884b1dc0b1943e2c701a365278a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
a762079ebda359b0a5947a2277b81ecd

SHA1
1d3ed8278b071466d023fd1cd318466db2ff23e2

SHA256
9b3864b376ff917851b470c2954503cd267385b01b7525328f8aee97e1ba853a

SHA512
8b43302b0cdd2b8f3299b9b84812121ada19c56828a1460679c2f1762a215d1ff9cb4f1a5e34f5938a99fc733609c54c42ea1895f1278b3958308a6e160e73d6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
9e99631958076a0176dbf5bd98538048

SHA1
3c76bc844d6caf25c1125c6691ed00b7b0935a90

SHA256
99ec73d17f0d153a2b0c0ee1d7c5cde312dbd2945f6cfd335f5de7ff2fe91869

SHA512
b84e03fb5832785e6f5e4de3222170f1ccf6b8d5bf9a0592bd4d24342d14e45059cec6de0248295a466280ebebdd3eabe013825c68668966f18c503415a32e19

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9035d82c47822ada020dc7e2144f2e7b

SHA1
51de93deecf7e5f5d815b054ebbcf5644b1d9eb4

SHA256
4eea516184123fadba4a83ce77d9e0c7988332ad9f37c0ef7da92cc716f4df90

SHA512
0df7e621f91490da75e0b0af5bba212bb6e099c54f1dd7805687f242ddea8e9b2b052c243c6b52cf3f077cdbc4ece0212eaa9d599330d6ca162530c829dc1abc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
33bb47eff5f09b3eac96a13e6f3aad11

SHA1
b65ebec4949d5792b9af7fcf3b000c5d4b4ec389

SHA256
5a41cde8d27ffd5b46b8cdad4f796e31c9dbef3644f66220fc6945c7b175a43a

SHA512
eb091279d4f3144e399d0d410040a5527d8ffb15dbbcc87945f8b4091643eb2939dabb3697045bc572672010110b9c5b08b10f0b95ab6beccf9bc71223bb82e0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
dbfc0cfc17140398f53fbace75cbfde8

SHA1
085decf44450b7d941f5123d9407101e306d0b58

SHA256
df2da7531f55f7184427c378cf380e79d8103ba9fc249fe98a5523d2dbcac4c8

SHA512
a4979a29a9958fdcf761012f97c5a54c4544fca6c19ee4a03e161dc61b077c4aa766689ba548c11cdeaf22e3bb40e4d497214f45afcb5a19ee0b89bf5e3144cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
22c5cb7da4c7a9c6b26e137f4281417e

SHA1
96a0500ec31548a5047cd1ae30ab4509f7716971

SHA256
47663d9cb71c167557a93d943ecd1eec0b222c5c1a5944f20218ee188316f8b7

SHA512
53a1c415f9ad80e0e9d71305575d2f4118459ed23d696083ad4235c31db321702dc086d3cbd7401cfce2ea34a36ac47889a5bc93de378fadf5cc863061a46b9d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e9c7c06e4e65fc1cd8e0c3899dcf852f

SHA1
3c7ca2f42e8fcba0bbfe07069ef447c13f3e4244

SHA256
07ba935563259e1afbe1bc014b513fe8109ee8f301f3b382e6ee8e3e315588d3

SHA512
10e37457f21863c133879122e6046743a49be7a2f1efee5a4d426a5909f8fadd2fd83f192aa46f67d13f2943b344fca443ea7baea2fb0cb69bf8588228a89bf6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
96dbdc140172010128c8616871146089

SHA1
1faff0f718ecc27eef6956dbd0666058eb179d4d

SHA256
cb22704d0b21b4d2b061a7aaff8a020e72fe0a418cc369b7ff843bea125770b6

SHA512
a78e8efeff1c40f5078408545c6f65a62a8896046f98e615624e42da919ea45ab4925aa254aebb4e98bbfbc9b59c59e1d6195d3b2b7cdbb9f9598126ac0a0286

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3d26ae9a566920ee22da13c57faf623b

SHA1
69f072fe0e63b22e2744f7b7efe074805c2b0f8c

SHA256
95179a5e0d45eff92446030c1e3410fa8092f82d409b3a689f92aa300640f44e

SHA512
a20fedcc61cd95ee0f6f5c36c9eb2862b9ac0715ef0057c9a5779addb3cd5f84dbf8ddddba394506aab3b004946b908626a8d740addd875ac03a7d1f0045a775

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
64bfa7350f8110959e9bf44a918ecb77

SHA1
d9592608efab4ca1f562213ba2cafa6515bc0d5d

SHA256
7784ad143bea3d3e3d649f3e3878d9685b339173e5a95f99a855a7c2e4601abb

SHA512
ca996a83eaf40bf98ccca9052caa04d32b4cdc73a6779159d2a147f6b24aa9440febac058caa181064f3f4c2e3f68b57ff37f082e96c3f8df7cf8c79327a10f9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
7822967b639d8f3336e63f41229a2c97

SHA1
4a88d8cbc4a86ef16b5e5b4291b3f8081e99bd2c

SHA256
2ae3b53c6ecbee7072c856ddc99e159944a02cee0d38ca7b15e3209ebbbd3117

SHA512
cd549b8c082687844b54f03b2acaf6cf72cad9769f6321bd391177fd41c5bc422ff7ecd970e42c57f765905bc03389fe18567304eacf3bf8c5184b4f5a23f4dc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8e32e649349f0ef9b5b95463e8f9efb1

SHA1
acb0782ccc98cbcc4b2e5fe7e7534259cc363832

SHA256
88783868b70b047040a9e7b47a3d833b8e2abef57955a18f24f58b3a5c26af6e

SHA512
6e1a9a41cecd6832d414633875f55a35c6ffce9acf0e5043a03c9b89e34a9464aea45f229796e9e121033a75516947d086d0c11406f7bda05b00f42febe80705

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\f4a864ab-af0e-4681-ac85-801da650a1d9.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4b03ea09294cea55dd18e13cdd507cbc

SHA1
b598b2747b3f31b3db6ee885993098eb5933dc07

SHA256
adf8b80f75ba79540f3c76cacf16e65c32253b2b727a19a78929eeb0254e33d3

SHA512
92f8172de0e9ef7643bad12ec0f5980260b2dc8391ca4ac02974ffd447ec4c14a48103ab625099a72fe9e9cc762f357aaf26b412b42d9a4931576348976eb87b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
772424160a740ab46f10d75ee3f72e87

SHA1
ce1d08ca4145f6a14ce3727642af5a997f73d1e5

SHA256
00ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84

SHA512
920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3bb9492a25eb2da7fa81e97deea3be4a

SHA1
2c04e8292dfd892209476416731d756836f79368

SHA256
2a6625977a019bdf630c9333861b0839734b4554289860042b5fcb62f51dc810

SHA512
b3d6c6ba77ca755c2bc04230d6da4540b6fe1789026f197b1451e6644508bc863cb40e4f828e8f44887802a6992f52563906275505be59cb177d6ae093db6bec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
490a2803160d747a1a5517c0f0a12bac

SHA1
bf0306f5cd3f8de69203ada6421a7117864cdfbd

SHA256
ee538258370c894ad91935fdd347bd83da8d3b4a22c0216055fde431bf67863c

SHA512
1750e60575b1d1389c525f4a5ddb204750954a50e7f9d81c0f0c65d05bfaa42d55558811cc5cfe7857cba554e5e83c4f0de58bc94b6b19aa8a4e793b381b9e7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f225d90ef840c13d42cb109f3eadda48

SHA1
0400c8703794733443ea84cce6b6a370d1b7a25f

SHA256
c102d4c5a75e8d11627d2db7511e644b7f0d1cdfe706dc363ff0a7c5e1a088af

SHA512
bb1771db3c9da6305c3db5465128688a4bcb5330214ffed70f4c6f55fa6f75e6e8830ca137cbe58c249b902eb139aac1b69012103bd1d162a82313c4a0625838

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5764c5.TMP

Filesize
2KB

MD5
62ef0b2d931dee49ed513961ece66048

SHA1
75ab8dd2d029abdc0701a541bf3076082b6e0c26

SHA256
2363d110b62787968a21ae43497d60d50ad3e2a713303aa36834d810f996344a

SHA512
ab8379f396349faf8b51cd6ef4cb31c2d16da749b9902654227175423872fa6d81447d28926892602644a35b30f8bcb9412ee90b0eea93108cf6eb1b8dfbea94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
dfea75cef8a9991e7527d7ffda55c8dd

SHA1
a12c1e8def5019a9d12cf5c6e06b04de29364b80

SHA256
4fb9e6e03166bce19484e6ea0f58a94e48bdcb6057d852ba7184747c7a3b40cc

SHA512
8d4ccd95b28bda31b191b36b25cc74759881f1e2865dd62699335d6d18607f60ae28f868383698fbe7a7e29ec2576ef0a89889b452afcc0cd7507d67c1194301

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
286KB

MD5
ad6bdfd8c519ee82a101ec27fd6f036e

SHA1
8407d39cb4ff2cfc7356fc14238ef1b84e172bf2

SHA256
e5e30e1825414e0acb39a1f95f25a24257a70004757d6d815bd431ca0e57df29

SHA512
928b3af70c7ff6d0ca0ca4d317454bb4b1c2a2bab3e0066e5acb65c12808928bba9d2113d07d9e83f154fcd65babefa6033e9955f6fea98fd66226c728224bfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
b978142722c83eb72d069d1437e65c14

SHA1
f57b2dd97a43d010f38efa716d40f53bd95c5045

SHA256
ba078b2ec002ad03b2bb95a3453863432613982fabd5b32efe0249ead07280b7

SHA512
b5425735bc49806b3a0f1d95d2015ecdadf609516e63000acc179916ef5bf6cb1ce0835c3301ca2626fc5bc5fe60b9003a7575127f7863b733d9405d47d690d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
265KB

MD5
315cb4d97413515004e1658214f1a960

SHA1
2719fffec436b765e3cc300e979de9f55f7d2dfb

SHA256
d26a5535858fcf839c14712e5a37af1c926bb3f54ab2cd6842210a5f2d5bb20d

SHA512
0aca3cd68a1d80c2f48e01284590e1f561d3a16be1314502d1a5cc5e925680f975ff442a5a2279c2c6b3b7650f39a097ac1ea09efadc1e548184efb1b3cc4a9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
265KB

MD5
4a9065dd46a5f42ec5e68bb4d0c51574

SHA1
c5f8cc6f994552f6956ab3f6baf6e86ce6a3de2c

SHA256
704601783d9cd4b0e4792025717e5fc4d33bfc3e2821596f746175af78851cbb

SHA512
3b0551727e1932ad619b94a6aa95a97b745d13c00b1dce41be0baee38f0f15fa37c963213f05dd05c51f1ae357ac898961666f32c522448a232c5825d9677cc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
18a7937b629ca2478de894c2cb48a314

SHA1
b1e85b507f6661d9de8b4dd20035933f7af015ea

SHA256
82b8b6143199d4b78dc9af36e8658a61f3b5ebef30f4e7e82168d9e64a05b7d1

SHA512
24bb8ff699f8bd894dbe237fc26d8e941f5202c463d011ca980b1580587fd6079cfb9566cb7fd6ad80e07a5d755fe199f2b3846b9f547b7014fc647975c28fad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57da14.TMP

Filesize
88KB

MD5
d2104872b82a8974e7d2f3751a1078db

SHA1
b4e5aaf37c59a2d78c7346fbdfcad4dbae38351c

SHA256
2b1a39a8bdf8e49f2dedc62f4f8e2e99067075f37d0ffdc8ddfc07294201a9d6

SHA512
9b1dd2cb7e71089098a8c9ef7fdedea4b3197d79d896e2e8c1c3b90b3e81e5bc77f89e3f3e500d9f62ff2efbc8c9d8e3c38257a943ecf449fddee6f0ac0a932e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
88a4e8702d1e3e4305215afe8b83051b

SHA1
aea6bb3893c87552f02fd498705ef2cb42aec429

SHA256
8751b4a7a95b91cc14f8e4683b20b933b95456c137834e3e12b82e81061ce54c

SHA512
2029d19caa8cace00d96fdf148fb7ae94dbe8c2280d98b208f23fcbbae3be1e14c58aea24bff5743236860abecd6546bb65087b53b8b5d66ef562a6acf74f334

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
6291e6b7f454d3117b642efa2eca34a1

SHA1
50d6538459e55e24a04094f81e830dcd50c5e38e

SHA256
a241742de10caeb57e5223475f8d8f0f55596dbcc7155cf6758756f9490becd2

SHA512
eddc05b07fe84ebaeae42a252b9adaa254eb8e6274f0022bc8ee824b6792cd5745ec7ac76c1a62dcbb3e146051c02c45c2401598bbb704a309baf45a685b6972

Download Submit
C:\Users\Admin\AppData\Roaming\e94bcc62bb5459c0.bin

Filesize
12KB

MD5
3411a84146caa29ce47347084808b801

SHA1
e52399cd65fdfbee057033e682630827f307d8b6

SHA256
a3bdf5c61a7805619293942365b86cff6f267637e7e43352f073857100148647

SHA512
c5d5d1d2e95e0e026ccd201790fa599ce0ac8d72b0e8606f81f589f6f53070911f39f43772f5bb07fb9a6d0f09f3ca88dbc129b239ca041e1f46cb912993cd7d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
2d984d771c4b975c388d28cf2cd6be5e

SHA1
7541edfb7846814b53c1ad0f698a7b559d4eed37

SHA256
c5f1db1760c7b8d542970a3b1b6c1bb7cc019f1ea5b66ab32ead52412d56b594

SHA512
cc9c30cc4e1b1420e3fbe73ef69e19097f728d9034330bffd50b79a1465f71f5175d639394386c3705689db30f68fb30badaa83fca732c59a830aafecfab35de

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
115c73a9c01a0eba0e04640374f6d7e0

SHA1
c21fda6936d8b2336ee87fa867e0de8ea79a26ec

SHA256
c26bcb139c36f5fb726afab317cd5363bf964df59c54ec04292fbe91381e7594

SHA512
a78a818a54a82e67dfce021c052500b1fa3195dfdd3d0799e5c3a864518c64266e10091a336410eb4b43bc98b92c6501845102253aebda92542e2b73112a8c71

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5b84a59a9587d59ed7ca904aca7ea49f

SHA1
ef3fe0ffc167383ad15c7d48100f9325c37cabcf

SHA256
0a249adbe1e8a1f3f2a91cc95a739a76d7fd0c15f40b9ae45025bf665733fed2

SHA512
24566b20b57cd93e9c64d7c66eae20f64b85119a70dddc825df339001cc96e144e192f6da6807f610cd9a4a047ee179990f6c5129d30d5e61704877b2033e8ba

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f1beb135c65396c2e399c8602076653a

SHA1
7474cd5a5350a7da3f1d64447ce38d48ede3d6b7

SHA256
cbfa695746f191627f0476c9f73a9f8dcb3d5744f3b1c360b128da3947a6c991

SHA512
293eb505516e8d3804ae95fb728bf98a06b417581d0ff32997a55b2dacd7e5818f0166cd4a0f048b6c187f0ab00b5f306c6416487ce83daf128e1e39352c1825

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
04706e7e63cf5280a5d17e2190bfea33

SHA1
8a773fadfcf1f8c65e47c6c3f45184702361f5c9

SHA256
ec4de9e1a188a4971959340bf70c139b1c1637bc49e521bf9b139944e6399ebd

SHA512
6f48c9ec47b10b3d8e66319304bb0bb5be720feed64ef0a0c708193b51eea80acab0a64a5a89a1239685c05c726a33ab67a259f8b69431aea7246bebb66025db

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
4130f10d28d460476506efda07f4d30b

SHA1
45f757af06c677e0170a4ae46ca45cfea26cf2a7

SHA256
7d50f01c4a79f53dddc0e6b0429bba6b0140196abdce2b5553918f4eaa091d09

SHA512
83f36a491e0e0391f75e28733f03705faa5cf031327edfba44cc5da8f6837aa52f09763da46d568f8098d603df999db3bdde6d72a6c31b6a251201763665e167

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
fd6ad92f992a9bb7eabd25dfa1c8a393

SHA1
195f2cb37401cec6f5ddd2424752cb8e568d36cd

SHA256
384d312dd23317f9a642acf3dd2b649bc23ee7d3fb67c33524a9db975d022fb6

SHA512
972af6f908f8f5d8826fa2c13132b74fff3e004c06e12d6f4687e57b35a6ccc31bd236e077d4a856a28a48234f117452f89703953ee6dc02351b762569e373e6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b1ff47ac1f8893956d23134bdc4508a5

SHA1
f9094a0b39c4c50090354c7d7e0f7d7ff79ad7b1

SHA256
84f14f304c4bb57e5cd8e3772175323de5e80214f3d0442eba13b2d2501a2557

SHA512
9f7e3f1e959d6d2e432a17df58307f1a3131f9e2908e1188fa811a9c1094c0eaf47d44010af89656280f237a64000a6a65cf85c59e7ef93c74c14e02dc13d99a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5704bf024a590e0e2dfe164f6f74ee92

SHA1
b7e0b7c3f51b7d6d9dc0758ba80793125e35bb28

SHA256
7ef56baaaa461536385f7adea603d667aba49bbcd7014166fc5c720906ab3cd0

SHA512
72e17c053fbb5c85b45708e0c4dbf68f7b671403d57023cdb0f5a2fa391322b421a311e13d09d235405da1d853608b893acfc051081520f09987c219962c9b6f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c318ca225f49b499d464c05d9826ebff

SHA1
931a33fde27cc5596619cfc2d64aeb32e3be9c55

SHA256
1892cad36d524291d09e3d89a6c8782d7dd0c8f3dcf05afea7c0981cf5e7eea8

SHA512
480cd4ab2604514d6cda43f463aeb9addc03365dc29e1b6427d628e9fab71149d31afb1c1b627de49550160cf70d33ddb47c9c5a89e2e852b609b9b3a579f3d2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
bcdb81db4242da92f00b1055d7cfee41

SHA1
2f0c169ff52090d90f384d7d43764de817c006b2

SHA256
36c0b2697d425f43bf1af609c0cf84740ee63e494083c76821b81ea22feb9272

SHA512
43ffc084713f96f42a3da0286c524a823073f18d13931f6d3e3361aa5f31f344efd3fe7d83710deeae91bc541a4d6c4297c097dd925465a1b09b465a82ddcad9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
66278048911c877d3a5b3c98d0775a18

SHA1
3ecdadce3e0a5d14bdcaa55a2c9b2ccd0022f351

SHA256
5e96f980d2c3725d8f782cc33f4419f1573a24b7e289acea1a95b0b61277c523

SHA512
a18eeab55bdfedae7e8f044f5db355de2f45d884b551969885b591797ec55b5385670e59f650a039cbf88bd6e019c6455d8277fc3ec0658434f93718f992aad5

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
32fc812f897a3d3c028c9dc997c727da

SHA1
5f0a655bde6916f6be0ba466952dea262d89a3d1

SHA256
544c1682e255a05ccfb4f0993b37c5e87647c79e9f7da3ccf5499164670a8741

SHA512
d0d06d2de0f19ff07546f853f625a40131ef3160d56f8781343f89a0c8bcbabd3e4c7bc6dc95942115e10a343199da58668aac93e86aaad82e2907e959967ca0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3dc1ff53f5b4d0be6b644483f84a3cde

SHA1
2a52f6ee643d32ddee208590b25d903a8ee724f5

SHA256
78dacbfc77936b23f3fc2d00deadaf7b99740733cdf346132156430b500b1eb2

SHA512
ca111005b654ecbd4b144f3bef26846b3e86d1c1677470869deb18c3aa482097c7f490ed635f111955c2d4c4fdb5a568b4f25aa521163e340c122783d0409801

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5a2677d2b6d891dea7740d0e8941d81c

SHA1
dcabfc1c8eecae5da3a3bd3c7de00829a4843b50

SHA256
a766d8ad1c724c0380d01bb9148145590afcba12eb18badb9842297d53af7c0e

SHA512
96077187a1e259b6b8cf44b0f139d7899c48a5f6c4e20919bb898e08163de836de38ec1ffbe37eb142926ff0bf0f892d82578489cbf01d9b6ed9976468c9ebbf

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c816bf48f3243a3c7c100c50423f897f

SHA1
730ed5801c476c082769693aa81ede25de7a9899

SHA256
7a192d7659402273836320612bc524517bbcc43a3c11dd02c0b6ae8999c07a2f

SHA512
ce65c5886510788af39bb6085aa317f4066026781af6956c3d9515a6f37e9509429f952f7e5b9d05346f776d2b9c88f4c7e5256576e673dc8001876d5b21ba3e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
06b328c2a533bba4eb6771ca81f0007d

SHA1
04c4658932d3f638ed65fedb0315246f408cc3bf

SHA256
630b4f88c2f9b0d1c7135359335b3a26892189391f9aeda667deb474376535d6

SHA512
422fcdbdb83b897b86a85cc419dc50e9fe2e73bdd36b21d2675dfbd8c0b01f6b9f2719e0440898a72e91b2621d675351e20d0b35033b738fbca54789915eb7c0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
28debb4b33041ea835212b91ac2818e2

SHA1
4c1fa85fb84942cfb350fa7c4a2c494b80047081

SHA256
f8f4b9476425dd98786bf70439868b3d9dce3498b2bfe8a0b28a5dd5e78d4f4d

SHA512
9d0f9cd169e3e24e24deffa6bce34b99cbca2e642828869d30e1f0737d1e607629457518e0e96829767b200dd822a9eb2fd1937db22424bddebb5e3bca6d1d97

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
257036a0fb3d2768f2801e5d32b9ce30

SHA1
0634d123cc54fe889f179f59136e47357ff7f7d3

SHA256
fe6257986f35787b1ef9628e36a811d3484fff46899b61381086da82e363c462

SHA512
381a451ab3b3c97eb3546554811f0784e5341a7f668b9ceb41dc077d34ebd26fbb29b2e0ab21b2a52b8637b3998943c14ce60380b8525378d37ccdceb0f0e5a1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a3f3e419e17a3530696b7659c4303a26

SHA1
9de348dc4a85218cc17c52a3971b907e614e7f0a

SHA256
7578509dec64fb3889122661fab0dcf857995d83ff7ef9f626b2105c452792da

SHA512
3ea60e82b8625aa93e5a5d8a392592006803c7a74b94dbd5e9e3d6771350a2aad8d7816f3cde2003949f249a77b5ac790a0a13ea59a51022dff7a0802cbb86c0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
44f934d8062f398113d53138c82324c9

SHA1
22b5f91330242252b81aac1c3aa09dccc28caac4

SHA256
7cc236fc56976336d6b11485bec6524fc97ab7cd502e5aa609561d18794f3cda

SHA512
23e1b617ea0362bc7a039c49a2a11e7e08742df07abef1795cdf78cd03264904af4fb908848a428510baf89d63564c210a809e3d7c2dc9e1de08ae04fba24776

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
31801e67e48e9ca71c6f8dc34c10e5e9

SHA1
66c5712b5e6adc69bdc087921e10c5c75f11a54d

SHA256
d2b20a84d25a2fad2b5ce668e5d1b69ae3268bda46d6f97a152c3fda4dc286ca

SHA512
6ce8ee20d0d21bbd548c546481a8ada23c9154257cd6e6a57ca1418ad7c75418066b54bd817c19c076ec1a019167c8dca4c84157631422661795a5e759e6dc32

Download Submit
memory/392-226-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/552-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/552-6-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/552-0-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/552-26-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/552-41-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1076-213-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1116-211-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1116-508-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1420-212-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1724-85-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1724-81-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1724-75-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1724-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1856-214-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1948-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1992-207-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1992-98-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1992-92-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2412-209-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2500-361-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2500-56-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2500-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2500-50-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2676-102-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/2676-208-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2812-39-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2812-37-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2812-38-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2812-31-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2812-509-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3144-456-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3144-23-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3176-205-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3224-14-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3224-25-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3224-443-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3224-22-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3240-563-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3240-228-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3780-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3780-72-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3980-562-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3980-227-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4280-155-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4548-215-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4796-561-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4796-217-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4800-486-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4800-629-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4884-558-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4884-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4884-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4884-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4900-210-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5872-500-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5872-439-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5948-628-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5948-454-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6040-489-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6040-476-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download