6b221c7a4d368a35b5f47191efdd03926a548d10e48672a207fb871b64684ace

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
Size

4.6MB
MD5

bea9c5e631c416774f30a3c8d3a9edf7
SHA1

c906a03a576553d44b1cb9265920eb0dbf145293
SHA256

6b221c7a4d368a35b5f47191efdd03926a548d10e48672a207fb871b64684ace
SHA512

90d1d322b018606ecf4b165d772aba55510679fddbdcc9bd98a46b6f9399c5011b9149855fab0d41babd74743c298ad9f7de0fdd77ef509a785381f7e12e890c
SSDEEP

49152:0ndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGh:+2D8siFIIm3Gob5iEOpAhQ1CNvi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3064	alg.exe
2332	DiagnosticsHub.StandardCollector.Service.exe
4652	fxssvc.exe
904	elevation_service.exe
3032	elevation_service.exe
2532	maintenanceservice.exe
5112	msdtc.exe
544	OSE.EXE
2832	PerceptionSimulationService.exe
2796	perfhost.exe
4684	locator.exe
2588	SensorDataService.exe
2436	snmptrap.exe
1236	spectrum.exe
2260	ssh-agent.exe
3096	TieringEngineService.exe
3704	AgentService.exe
3352	vds.exe
2356	vssvc.exe
4060	wbengine.exe
4740	WmiApSrv.exe
844	SearchIndexer.exe
5324	chrmstp.exe
5456	chrmstp.exe
5620	chrmstp.exe
5732	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d8f12071bb5459c0.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8ff284009bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3e7513a09bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000306cb83a09bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8e7803b09bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed60693909bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b9bef3a09bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4328	chrome.exe
4328	chrome.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
4328	chrome.exe
4328	chrome.exe
2332	DiagnosticsHub.StandardCollector.Service.exe
2332	DiagnosticsHub.StandardCollector.Service.exe
2332	DiagnosticsHub.StandardCollector.Service.exe
2332	DiagnosticsHub.StandardCollector.Service.exe
2332	DiagnosticsHub.StandardCollector.Service.exe
2332	DiagnosticsHub.StandardCollector.Service.exe
2332	DiagnosticsHub.StandardCollector.Service.exe
6112	chrome.exe
6112	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2688	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
Token: SeTakeOwnershipPrivilege	2996	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
Token: SeAuditPrivilege	4652	fxssvc.exe
Token: SeRestorePrivilege	3096	TieringEngineService.exe
Token: SeManageVolumePrivilege	3096	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3704	AgentService.exe
Token: SeBackupPrivilege	2356	vssvc.exe
Token: SeRestorePrivilege	2356	vssvc.exe
Token: SeAuditPrivilege	2356	vssvc.exe
Token: SeBackupPrivilege	4060	wbengine.exe
Token: SeRestorePrivilege	4060	wbengine.exe
Token: SeSecurityPrivilege	4060	wbengine.exe
Token: 33	844	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
5620	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2996	2688	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe	81
PID 2688 wrote to memory of 2996	2688	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe	81
PID 2688 wrote to memory of 4328	2688	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe	82
PID 2688 wrote to memory of 4328	2688	2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe	82
PID 4328 wrote to memory of 2804	4328	chrome.exe	84
PID 4328 wrote to memory of 2804	4328	chrome.exe	84
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 4336	4328	chrome.exe	110
PID 4328 wrote to memory of 3264	4328	chrome.exe	111
PID 4328 wrote to memory of 3264	4328	chrome.exe	111
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112
PID 4328 wrote to memory of 3316	4328	chrome.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-11_bea9c5e631c416774f30a3c8d3a9edf7_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa320eab58,0x7ffa320eab68,0x7ffa320eab78
    3⤵
    PID:2804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1932,i,7196163734930367587,15841838592713110855,131072 /prefetch:2
    3⤵
    PID:4336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1932,i,7196163734930367587,15841838592713110855,131072 /prefetch:8
    3⤵
    PID:3264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1932,i,7196163734930367587,15841838592713110855,131072 /prefetch:8
    3⤵
    PID:3316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1932,i,7196163734930367587,15841838592713110855,131072 /prefetch:1
    3⤵
    PID:5100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1932,i,7196163734930367587,15841838592713110855,131072 /prefetch:1
    3⤵
    PID:4008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=1932,i,7196163734930367587,15841838592713110855,131072 /prefetch:1
    3⤵
    PID:2616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=1932,i,7196163734930367587,15841838592713110855,131072 /prefetch:8
    3⤵
    PID:3772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1932,i,7196163734930367587,15841838592713110855,131072 /prefetch:8
    3⤵
    PID:4880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=1932,i,7196163734930367587,15841838592713110855,131072 /prefetch:8
    3⤵
    PID:5224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1932,i,7196163734930367587,15841838592713110855,131072 /prefetch:8
    3⤵
    PID:5272
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5324
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5456
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5620
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1932,i,7196163734930367587,15841838592713110855,131072 /prefetch:8
    3⤵
    PID:5612
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 --field-trial-handle=1932,i,7196163734930367587,15841838592713110855,131072 /prefetch:8
    3⤵
    PID:5596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1932,i,7196163734930367587,15841838592713110855,131072 /prefetch:8
    3⤵
    PID:6048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1932,i,7196163734930367587,15841838592713110855,131072 /prefetch:8
    3⤵
    PID:5312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 --field-trial-handle=1932,i,7196163734930367587,15841838592713110855,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6112

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3064

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1320

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:904

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3032

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5112

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:544

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2832

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4684

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2588

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1236

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:820

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:844
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1060
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8a9ba1197208a5d9e78259096f095008

SHA1
0815a02fb2464a525b7d71ce11740efc8a8cf3ea

SHA256
d69a5d3237edd00bc4342d745dd4071cccd9758a34766bc4db251a317560486c

SHA512
689b497091c823b539383e86e8e9615e9ea580095dade0dd078bcf3f1c294291cf301f6ff5ec4850a97bc456373a00e95c8fe8eeee1aa093eade7547c97ce29f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
10adebedcb9eec2a5543b6781fba939c

SHA1
b6e5bb7b45cf66d8c4c3625f9a466c64682720fb

SHA256
b6650eb97d1fd3f47e9f7aadac5eb35be426a5360f9b7caae00db9fa2ac05342

SHA512
4439b7f6949d6638ae742d08bd3b5364fb344cab074ee24ab25aecca3d7e386e7be42cc11f88a9dcd6facb7e9915133bf1d3304fbf1732be93856a54f4621655

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
9c22aaa8ce0a35978d792b82e19c7474

SHA1
62ece62c235a2a542abc1a16a23d6f96b2f66e60

SHA256
85094790f0906f10a94ec2286f01e57f2fee22d80eb9bb8fe9800716d9d5ce4e

SHA512
ee335b5b14357faf027c9174a513b3fdf40d0c1b5d8f37578b6ced4f2cc7c30d826a6bb294d09ea69ba804afaad84338989880b87c2335dcc47101b83c76988d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
507a693dc3a6d12241fba8aa753839c6

SHA1
d1f678d85cffcdb33de93bd80179dfc561e4f82a

SHA256
8cecaed5433334da115ae6de53e2bcca61bce4e9a7f93d7aae9b80867daeac0a

SHA512
cf9b38f58934de5b2bb48d4220264052e86d38e76b9e6beccf000b1e28831645812769212156920f6278e9e586211805b99f64b0e4a9d6ec031ba663b8e08bda

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a3a4fe5607da4ac9eda1577f4c5c9cc8

SHA1
bf90dc41041cfb88f0b7beb2c35e12d58f79ce51

SHA256
aee61fae6e7d8008db54d6f7fd1969f74692212edff7efc22ccf1851dec76419

SHA512
08cdeea48ba305b2ec053e8a0def7b90878bf12a26beb920a85f9d085ea5901ef0564913452e5141237c5754ebe76240745dbdb63e10a018189bebed03cab9f3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ffb80c929275d598dea58a43c7d0b739

SHA1
425070a63204e62319899b150c4c766258de1cd4

SHA256
8d9cc6e2ca53dbf52be1d8f69fd3436aa70bd56bea5335a28efb13d99c6b0fc9

SHA512
c034d7aedf8f479a8ad45592e487aa70bc382a29bc4a0fa8f5c876a1a7e42f7e57561c5d931203b8bcc4ac39e8bd5460b1cf955ab3d5a578980d12b8291e141f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c55504496f64d92efd53dad6638db622

SHA1
ec1251a79b34ea47a3a42b994d15b3c7924f4214

SHA256
89f4a9fa85388ff4671e20e8f1c0f59f13b289be80d3dfde37c59bf82994765c

SHA512
3ff77b0fc47af3a84d36fa111f6e360f725bd189ba0997efdf78bd6b3ca5f670f58bfa4f05fade50252ade54312a401a3b69e521cb356a22c2067a00a192588d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5fe78cb2f086adbd216e0a90ade2fdf8

SHA1
2514679d62636f3e1ef5e7c40675701ca988256c

SHA256
62bb95a1b50ad4ad251991f732c4b5b3173eea023e49da0146042e9de03bd90a

SHA512
c421ca03f5cc83a31f63ebf96ae1259c8e9e86f808cb491b6a9de955bb98489b620895a15f8b5433a8df077061a280270516135a8631141e6e90951074fb9ffb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b6e1987d2946115de29e4df9db459b20

SHA1
338bff27197b59857dc0677fc564342c30c57f90

SHA256
2581dd76c1ad00a556f3828c297c6d237517cfd881dbaed0738dadffb17fe41e

SHA512
8e7530f475126834106208b37f9e124f79ad48f3d355bb6cd0828c8547767ee03862841668a141f22ce567cd1124932a945715d258f9bfccc7c10c4ad93f68b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1a04cbd976b7a89a859fed63ae67bfaa

SHA1
55814aa9f5e9f9cb506f8c8dfc34ce15f6a558d8

SHA256
5de62b694fda703ade66c118b45f7a9cf603cc38baf20135a310e397ffa42948

SHA512
a6888a46de6885fc9b8f650ff6c57bd5963167f8a43726272af22f8a8b8898a1622a645935f2f202af0f72d5bf3f7730758246afbb21819a9f704dbb3c401bf1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c59da7034faec4c2e41f194588610649

SHA1
69d2ffed2573e6412a93e1f822b01086d6777850

SHA256
59b459b683bfac4aceb729a292210a4b48c5afb3fa6301f2bb66bcd7d87e481c

SHA512
a3a8664378dfe02755fea1a93379f01c54b75f914caea8cc83df076e28d31e92f20bc09ef560dd9b2918305039f0a83dc3cb3f81853d1952e8c8243555822c77

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f6bcb9e85f01734719133ec632327d03

SHA1
54fdf3dd483f2a68c063206c4c067cab79456e63

SHA256
da2e5468ce7d465ee147646cf956d08a36f9d83394ebff5220f1245d35b8469e

SHA512
a2d3f93b87ca4fcb976bf21b7b1715790604c6e440766bc13a6a4a94066884d0f3cb2160cace8a663128fff33de7ede850cc44fcd50a1ba879b6a9b40e11a402

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
214681447430683cdcf8d440473db719

SHA1
2156c155f052d495b24540568e54350c8d9dc18d

SHA256
4f6434d62b00e074f8ac24cff18f3174fff86f1ab817e5d29064ce9fd3d76787

SHA512
3aae73e4893ab9c41e61a7b4130ab325e51502271e087d92f131da86f3bcc1701ebe37585e8530372a0a9a7eed2b17cc4ebc0c7ed54b494d2e3deb8dd5913fe2

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240611141114.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
16a5b848fdb18c0022b1a250f61599e0

SHA1
60fee90f136f064f57d6321c04213bca961e7fa1

SHA256
37f253fb9e2a2200d0337227a4cce19848f253333011f73b1da2e3b8b0711ec6

SHA512
ab6c863f918e5018012654f2965e71003dea6749c0383cab3d99c08c56f222aa7c058ef489c1477a59da17cfa5902c26fa4144cf90f9efe05f54ba854d644b52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
772424160a740ab46f10d75ee3f72e87

SHA1
ce1d08ca4145f6a14ce3727642af5a997f73d1e5

SHA256
00ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84

SHA512
920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
85b96f36712120cda1e32ec2c5a29398

SHA1
868f2a3973dcc16288289e59afb59b5b1a1ca8c8

SHA256
a6ec6a03a0a82a73cbc2200d94fa411850588cf81f81d725130699d3e76bd950

SHA512
61e6da463ab21e1d67185da174d08d836fc972f0283dbff46a90930ab93d6245376c279d2dbb777d18bb2174a178841c2e8182f369d795aaf5802967c13df07b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1ca093a05986bcc756d36de6df56a9b0

SHA1
eccbbce42cf6faa323e15a4f22e690a7cad47dc6

SHA256
36ff298cb96fd7519c4b6a7c74db2d72cf9a1bbe5e2a0bbe4c4c29e0a24ea04a

SHA512
ffe1d59e1261c6337a5f9d599861a23ebbbbb2577df30ac074502f6059b9cc5b4624d0a5fc6960ccce855607cf174622799d5f4ba8425bdb87d084d92ac835b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4cc3e1ca2340e55303670027ad1a0f1d

SHA1
8bf64e7af411c7e5f5c037a6dccfff75e6f87884

SHA256
b46c0351a1abbfc482d5bfaf4c69e4557eff063939014ade3d5d7c6cc9629e8d

SHA512
0132b86eec258a2dcf4bacc097edfb5aa45ac122226d2e76d180109a5c5134d62bf571dbdac187e25a162f8a7f6820183bc3d9b249cd52c851ac56c13c73e52c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576c75.TMP

Filesize
2KB

MD5
62ef0b2d931dee49ed513961ece66048

SHA1
75ab8dd2d029abdc0701a541bf3076082b6e0c26

SHA256
2363d110b62787968a21ae43497d60d50ad3e2a713303aa36834d810f996344a

SHA512
ab8379f396349faf8b51cd6ef4cb31c2d16da749b9902654227175423872fa6d81447d28926892602644a35b30f8bcb9412ee90b0eea93108cf6eb1b8dfbea94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
f76a24e09b726cf26ecb0583feb21b1f

SHA1
a858d68212b70def7f8f9f171c75e559228057f3

SHA256
44206f35c64d36ba99eec54f0c65aa3eec147aa7ef55216ac9a0bf2f9e8e4ccf

SHA512
2b7131d20b1e311bdca3a4aae0635380f79fd734bec8f7e8ea290027be88f3dc7a05a69da7b0be7b66ebbfc792e806504eba2403509e39529973052635506629

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
286KB

MD5
64cbfa6f75b336747dc6f0de02fd885a

SHA1
e3a5f010d3813eea134a4649e0ab5df38775770e

SHA256
2a705a2eb995aa2fc50efd644c21c45f0e0cae6cb710e1201286224d0425a8d3

SHA512
4d3552d4082eb1c290e85b054b0a18ccd0cd26a680a85568552bcef26f24967072152f2da4ba1412ac58c1a861b9f19569c1ca426a9951df7daf6139b1a5706f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
265KB

MD5
4d005f4c0b04e64a463b18f91c879d6b

SHA1
c1382fbfb413be3021de6272b9a7d48a98fe0056

SHA256
c7aa581445a7a801d17e655c4b3d9d60d434ff4782874bbd878fc30a2a88ff28

SHA512
505043a3d68b210ca46c9438603092c5da320ac390c8cb895e820ac3111ed9f813169c19aa695fc7dd7295fa717833bea33f85359de63cd6cbc33cecb12a0223

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
ccf469389cffaee6f70aabe03619c363

SHA1
b748e2c219d40a02eeb5327c454064f985b9d96a

SHA256
02e1bde547cd8a34596beb584ec896f2c65db4b4d4a63ccc77c7e5a9cd4f0b3a

SHA512
df9c0b7e58efa71fb82b88ac82413d44cb3f07401ff4c430bd7a74c3117787fc67580ed086dd2f5dd322276364c44b457f72dfe68ed707e487c553cdd74b406b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
266KB

MD5
f03c47aa813c92a50f6b7465dd0cf87d

SHA1
9b185a587989bbdac981164ccaabdd30e7a74d91

SHA256
a90531321cc54b2fe9b9185db9dee66877608b7892ead41c4bc1a5c959ebe201

SHA512
76289c38720d3348b04ff0278703ede0ab4c94a3264d6e744fd2191399846bc940984daf4327de5dea2bf584abe3527e434ed3f1c854e42f40507074c6b12fba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
f3acad331b4e934b2011ceb222c07f23

SHA1
554d463513f463e3b1101f6a5ce9a20313998c2a

SHA256
fea13bacf66d7aa00b3746e4c0b9ac58fb479ab70237a4e212b3465f4f259c46

SHA512
ca2e4b74a41930b6728eaf27c6b8bc3ab8e506123d239c8317f72d31f8e3f4477d3c019334216ed04a37ac0bae6c4a1c234cb718d47df2f4481db4a7ced26673

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e1d4.TMP

Filesize
88KB

MD5
cb5be329d494893eff3c9ccab81e205e

SHA1
030c2590243914d4225f6db771f178605f0596bf

SHA256
be507f47c7cb98c446e99e2728c38665e25f0a5dcaea959a13a42a6b8f22ef11

SHA512
dc072b3f54c439d8e8354dbb42ef7f2ded5395c3a35442afba4db8c99d18272204cde1228bdbaa5b5dc63c4e9fe6c9207ccfb70c3ae9da7daff0c3f156f665ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
fd6580ca0f48796b2b0adcddb3eec74b

SHA1
94e9555bf85fa992e86cc0c0e344e4bd61c3d96d

SHA256
66f177a4c023465a1e6facd427cc34e3f82b77c195700da2185c414422bed087

SHA512
7f9f4548156e437046756c9d0cfab208a7799f1bedce14956c086843d06bc8a9a45fe00ec16a590699dee4bcf400f5f6487ebf202fbead0d58165646b2aedee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
24a25093ea2e9cbd50444210d08769a1

SHA1
f4132d5fd1121a4bbc50dd1ff26f2e7a8204c337

SHA256
aac7f1d3fbab84cc513b6f16a76335396c3965c51a47ad715b88949217477b5e

SHA512
472f2198f069087274adb1bb9b95ed137318d0c790e883b0ce7a5a9ae9a74051c948387be6a9f0dff84c3c638ab456b31e5c70c8083263f2ee9079b31f2904c9

Download Submit
C:\Users\Admin\AppData\Roaming\d8f12071bb5459c0.bin

Filesize
12KB

MD5
a68a483e200d291b1b6c5e958ebbd1c6

SHA1
80619727c4ed1dbc417d33dc5395aa26903e4921

SHA256
0632e9dc383785c86da7ba4cdb86656efa3d40d53e503ea227c053011cc5eafd

SHA512
98de7044a0589d7d1d48ce5c1547cc4c034a0613dc47b5ca345482195fa1991207f9340ff5bc58bfc706d6ec75fd7a381f8d1d1fb193bcdb76ab60e4f9a319a0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
22e5ee4676ac75dccdad9e1f2408b009

SHA1
93865426f7e87e0703737e898380ab2222bc08ee

SHA256
8efbba4c47d8d6f6eb116515af5a7d44e9946b0154b3ef6d29cee274fc333e72

SHA512
1489a2297f37c7d992ef1b7d82dbf5061768ddff9dab44fb7452673da45758d5cc7fa81a19bda0f1368185774020a196cf0ea15d40858ef4a400065b8cdcb46a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
10f8be8ea25d3b17fb70edff0874d0ed

SHA1
0a15773f1676e0255d084ab2552c46dd2c7a361b

SHA256
1f52fe8e84ce998bb81a5ed1bf5c2c1a602fa6530c8687836079f0b15e5d858f

SHA512
c40dd35b63c492193cdb0479fb2f2a5960d71ce6a6f699980c5539c8649a59886b1b8cc667c9b1a9129687faeafcacb314ee7ddac63edb61257ea72d6a412a18

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e6a0395d2e5c40a0d108b71e1e149cc1

SHA1
d1361d53e773897506bda97bd3527492ab22e47d

SHA256
fc752a4aa9d94c6df5e13d78614afb315356355057f201e2c9e64c6751f589e7

SHA512
3606bdf438847614afcdfcb4175e99e8dfd4b7a06b91c4c6930eeb7f0de2f7412b8074bf00752e5ddcd7d69b54c687b8db1560bb45cd149c2f2c4a78c6f12199

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ec7519927d361f363a2b79c3729017d3

SHA1
2735066c49ef35d0b4ed6fda1d31664f2294894c

SHA256
97e76bc6922b37076d62a464fbf4495ee77c81fe0c16a1d38909a5600d099660

SHA512
adbdad455d67996103ec7e12b467cdf32eac8d7bc43642140aa7f1eec7499a081bcaf560e76270e16ab9486d128228af4e568cf6545a7fe4038aceeabadd5e8d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e1cac23c808002e981ec0f6e6c57328b

SHA1
801385937070c9cb66c479ec6a1392248c772911

SHA256
59e9400cef9c05d3a51dd8436a55e50c0df22e840a96ee9fd6e1dfa3063ef17b

SHA512
84b323529db3b4da06123a500b62c349af8eb4f64a747131425cb611994523d15c78dfddcb59cb1dfb5382bf99afed4d217ee342a70d6517fa68c2dc0478f34f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
52547cf357e8eec2b54b4fc0ee33cc7f

SHA1
255495c92d9b490773b67bee525eac34459cb738

SHA256
5f07a95ae06cd1c95c3f1d8fc73cbc654ae0b7bd0cf82a8fabd7c24b3267a393

SHA512
64627f8a65a603670d52f36208147853937790fa7481882abcb9f173e2e3f862dc0b1966e0d43383fe8c9c14fa30ec5070cb00cacfd55c67d6e229a698733039

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
13a159cf9b27df05d267ba26b0fbe8e0

SHA1
29bcca0b85a845e9f2675df79e1f10e5445390ad

SHA256
92eed635ef44cf9c63fdd6ac770879aacbdcac0aded299c64d1350c8423464c2

SHA512
de4ba9e78b39a0c595cf3b69064de57d5c600ba1869c27a5ce5b5593dc10b10af9a41eca4ec47886d063100e2b2addfcc5b271cd53e1a7052e98059e907c527b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bab1486108c7d8af36a9127a4f8f68c3

SHA1
e1b3126e8d2adcaef6629d42e44d357895b777d6

SHA256
47ad9c3379d9e52057f418fc0e51ffc2bbb2b84690795209ff7d798cb0254240

SHA512
1b9ac109b30eeab973238331d78c7a062ba81e1774846dd431846c442051f9b510aa3b8d0c70515d7ef31cf4e1dcde3760d4d69c1654712aca84c2842f7887a7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
336e41a7fe641707bc96c9d541243b6d

SHA1
362c30dcdd098e9f66c2330a592d3a891b97232a

SHA256
7d8a604c3a689a46b39184047a9d32e724eab6b0d4524e497504d8be8f4e2294

SHA512
dc9c780aae6454461574ee5bb80fad62df0d0cb8c1c1d81d3ba002d1f7f9adb3777e10629c0702f9b869fb1da5165c625230627de2ffeb75cc0e865de322a3f0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
39c499b40809f6048eb7ea8f66bedcae

SHA1
7cdcfb8d81aa7b622d4fbd7330b73004d8f9a51d

SHA256
f54f6b4541106f440103658c0ca139ebdeaf855bc26dee31d06dfa09682b4725

SHA512
0de4a3e13616cd06031ab88fea1441e369940fb99346881938878b97a1e08f0d17779305a5897e5bdbcf75e356b48f4285185f8f82fc952be194018841e48418

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
34c8cfad4b4038cf0b8a23b98a582946

SHA1
ffc1e8a0049d45d1d9e3e67b2dcc7ab3e04d9d69

SHA256
e7ac87e4e8f4965964117262a4d60b95dbec01954c56d228f8d7a4cd4e0eb9ab

SHA512
78ffdd48bf35dec81ce9389439c04e66eddc7976482d6aef7e5e85c409f90212820b7a4f9c62cb1658e5b1ffcac7a43f5de0074d1e74587df276fa8e2cc3f993

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8bd95ea74dd52c67952f444b1bb21093

SHA1
e845145ba97aa0fae07813b723f17ecbe9778be0

SHA256
649e1c0d786c9083df3ec73f2b8fdadbf3ea7ae82e83f31d66ba5692b79d176f

SHA512
db0c81ee509a374b4f99cbda424bae0d9163cf1d1ea7d90a7853a432cc82789b1dc15a183c794abc0f57d4962667b112da154ea3782652bd86bcd7b02622ac9f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ac121593a0b88d8795c75deadbc28f82

SHA1
fd11354521b3fc48fdb9dfc1e1b1b765ea44aa53

SHA256
fcc505b68429a5035b83ba6b827f014651b91f1c932052170e0a7bfbe069419e

SHA512
1c0268b5cde15163f8b7d7c704fd3943832e0e18cc8f0ed2866fe93b6fe880754572ad48fb8d96968e53a8909f671b645ba19890869f2372b735cc85a1304dfc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
dc34741c13a63060d3690e48ba18d350

SHA1
c204d1bed9b8865b2b4553ec52f140a354457ba0

SHA256
ab52a07302ba9846785137457f7fc862dd4b45388ebaa5b35d13b8531d537ff0

SHA512
59b86625258fff4146fcd2c43d5b713ac118c356ca82741846462ecb839c0d73a71dddd648ae9bb4b6274e52c1791dd727a2d02758cd90837c84eaafa23ca441

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
12ebe1498910a41968e62f077e4a2547

SHA1
a7ede667ede57774b6fb4afc4bc921a795110ec2

SHA256
933990340f8f5caf7a99120f77027dcabdec6f16327ad62e0c31047f2f533902

SHA512
7c12eade5eb78365fff488209950768ea15609b58b0a889609dde257c7f6a5fd67f743caf80a2fad79c3c7b13fbe9f16d14f2faaac0029565f0f0aee49734afc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7047b8481a1a59f3a0f64fefe2328d7e

SHA1
0992f44acdcff09381c8291c4302251a8183e945

SHA256
2231f95fe5ad309cda524722f396fe3c5a3538e2e4bbd9eb95f812954f3fc235

SHA512
d7a27586f31f023c4337e51f419ebbcda48e7b964dc9363ef4bc07e0ff4ee844fc4459a4c29bf0487539d476c138b09fca4b42469ffba6efc4f2d47ed1dda58c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
cb6694a3572808f1cbccb05f493b7f41

SHA1
38e56d9d5eda81ad64bda669ab6929543d2d2212

SHA256
1eab53bfc88a36f105238f6a81d649d463433756a388c12e73a01c6e7e69ba35

SHA512
ac47f92b15e304c9f13eaec542cfb7d9d97c0b6ce1d9efdcfc75e1f60395d6806784d1f9a4685af5b6e07c918c56d679cd16d42c065d6d06231052e3d2df0a8e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ca06e2fd6d94637d3c457ba4df99a8e4

SHA1
1c869231ead74906fdaebf62f4409d3b0b219e1f

SHA256
77ff52e9fd531668233bea1ef4151cce6832e31ef2044475e65d5cfe37e2320e

SHA512
ba6584310a884e59aba2747ee0f26260d239a578bb77d7be0b2cb57dd0cec4f7f18480f474dc6ecc08afed9f53e026091fa911f2be13e1e7ce8668d5bced715d

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
257036a0fb3d2768f2801e5d32b9ce30

SHA1
0634d123cc54fe889f179f59136e47357ff7f7d3

SHA256
fe6257986f35787b1ef9628e36a811d3484fff46899b61381086da82e363c462

SHA512
381a451ab3b3c97eb3546554811f0784e5341a7f668b9ceb41dc077d34ebd26fbb29b2e0ab21b2a52b8637b3998943c14ce60380b8525378d37ccdceb0f0e5a1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4054c9c96e3445dd0957386037799b35

SHA1
9e251ddcae405331115e5699e8e35979f01f94bc

SHA256
9d77d4206bcab620d2a306c92fccbb547647370bff271ba6c82113a4bc71d391

SHA512
67e07fdeee7efec103037ec55358eb89c0b02cb97a0b0fb3a8bd39aa744c146e10402c6f10c4b12c975be14da09c7c54e91de5ac47d80e030341a2fbbff11676

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
40d7274f024c1acbe5a419f9f1f06aef

SHA1
875e10bf10d2fbbaafd55fe5efaeda37132d9488

SHA256
194ce0a4d0e4408a35167af54a3cc228e7e361522bd821cf81b9d35752a530cb

SHA512
2fa57292ba1a5064c68c5940349e33a69fb1716d5d1d41a18e722fa798b7f364920e71c2d43db344d3ba454a35c2d2703fc356b5cef9e5db9f577ea560aa5d44

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
a8dd5dd555f7894e8a6beae821e2403e

SHA1
5065dce0a4d12cc530d6bfa2bbf672ac15ef6cf8

SHA256
e8471b8274ca5dbf4f80e953f4e8319624d2decb68ab9a8eb9a883bc8f15234d

SHA512
81ea652aff5aba1053df92db62229f92c4af56e1812a08ef7b19bc645093e56bcd9b1455c12a5ca6b1e0b0ac89a93c0117d201806cbb08f1f41351da18d7fa07

Download Submit
memory/544-97-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/544-91-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/544-174-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/844-187-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/844-636-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/904-50-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/904-51-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/904-57-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/904-348-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1236-180-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2260-181-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2332-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2332-41-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2332-45-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2356-634-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2356-184-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2436-179-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2532-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2532-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2532-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2532-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2588-502-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2588-178-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2688-9-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2688-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2688-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2688-27-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2796-176-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2832-101-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/2832-175-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2996-18-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2996-25-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2996-12-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2996-451-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3032-558-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3032-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3032-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3032-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3064-26-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3064-452-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3096-182-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3352-183-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3704-154-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4060-185-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4652-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4652-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4684-177-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4740-186-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4740-635-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5112-173-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5324-434-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5324-492-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5456-437-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5456-637-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5620-485-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5620-479-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5732-642-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5732-482-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download