ec608e836d1f2a8299426018a31cf8042a8c869d10ceb94652404ff38861b60f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 19:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
Size

4.6MB
MD5

d21cc81c3fb7a3c7aae2685778e68ee4
SHA1

5b48221c5b5229c36ac7172cebe29d6031df7b77
SHA256

ec608e836d1f2a8299426018a31cf8042a8c869d10ceb94652404ff38861b60f
SHA512

3cd45013a6f36de7bf677b90b1adba6d672979259855bbc6f95e5a9c0240ffc3881213feaf3f76aa37824b42b641f4457a77c5e3226a1a85fa98c74f35bfe684
SSDEEP

49152:GndPjazwYcCOlBWD9rqG0i0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGb:82D8BiFIIm3Gob5iEf8

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1312	alg.exe
4740	DiagnosticsHub.StandardCollector.Service.exe
5056	fxssvc.exe
872	elevation_service.exe
2484	elevation_service.exe
2536	maintenanceservice.exe
1124	msdtc.exe
2552	OSE.EXE
5032	PerceptionSimulationService.exe
4652	perfhost.exe
4052	locator.exe
3392	SensorDataService.exe
2012	snmptrap.exe
3636	spectrum.exe
1556	ssh-agent.exe
456	TieringEngineService.exe
4300	AgentService.exe
1000	vds.exe
3912	vssvc.exe
2872	wbengine.exe
112	WmiApSrv.exe
2536	SearchIndexer.exe
5132	chrmstp.exe
5248	chrmstp.exe
5352	chrmstp.exe
5420	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\969d702dc3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c033e546ec6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab27c2546ec6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c03128546ec6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b556be546ec6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bad810546ec6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c07d0d546ec6da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637316084733499"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b91133556ec6da01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4036	chrome.exe
4036	chrome.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
4036	chrome.exe
4036	chrome.exe
4740	DiagnosticsHub.StandardCollector.Service.exe
4740	DiagnosticsHub.StandardCollector.Service.exe
4740	DiagnosticsHub.StandardCollector.Service.exe
4740	DiagnosticsHub.StandardCollector.Service.exe
4740	DiagnosticsHub.StandardCollector.Service.exe
4740	DiagnosticsHub.StandardCollector.Service.exe
4740	DiagnosticsHub.StandardCollector.Service.exe
5656	chrome.exe
5656	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1140	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
Token: SeTakeOwnershipPrivilege	1200	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
Token: SeAuditPrivilege	5056	fxssvc.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeRestorePrivilege	456	TieringEngineService.exe
Token: SeManageVolumePrivilege	456	TieringEngineService.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	4300	AgentService.exe
Token: SeBackupPrivilege	3912	vssvc.exe
Token: SeRestorePrivilege	3912	vssvc.exe
Token: SeAuditPrivilege	3912	vssvc.exe
Token: SeBackupPrivilege	2872	wbengine.exe
Token: SeRestorePrivilege	2872	wbengine.exe
Token: SeSecurityPrivilege	2872	wbengine.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: 33	2536	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2536	SearchIndexer.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
5352	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 1200	1140	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe	81
PID 1140 wrote to memory of 1200	1140	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe	81
PID 1140 wrote to memory of 4036	1140	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe	82
PID 1140 wrote to memory of 4036	1140	2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe	82
PID 4036 wrote to memory of 436	4036	chrome.exe	84
PID 4036 wrote to memory of 436	4036	chrome.exe	84
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 920	4036	chrome.exe	94
PID 4036 wrote to memory of 1128	4036	chrome.exe	95
PID 4036 wrote to memory of 1128	4036	chrome.exe	95
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96
PID 4036 wrote to memory of 4444	4036	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-24_d21cc81c3fb7a3c7aae2685778e68ee4_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2c0,0x2c4,0x2c8,0x294,0x2cc,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9052fab58,0x7ff9052fab68,0x7ff9052fab78
    3⤵
    PID:436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=2092,i,10676471196188170679,6769197691600829938,131072 /prefetch:2
    3⤵
    PID:920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=2092,i,10676471196188170679,6769197691600829938,131072 /prefetch:8
    3⤵
    PID:1128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2120 --field-trial-handle=2092,i,10676471196188170679,6769197691600829938,131072 /prefetch:8
    3⤵
    PID:4444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=2092,i,10676471196188170679,6769197691600829938,131072 /prefetch:1
    3⤵
    PID:2384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=2092,i,10676471196188170679,6769197691600829938,131072 /prefetch:1
    3⤵
    PID:1588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4264 --field-trial-handle=2092,i,10676471196188170679,6769197691600829938,131072 /prefetch:1
    3⤵
    PID:2068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=2092,i,10676471196188170679,6769197691600829938,131072 /prefetch:8
    3⤵
    PID:656
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5132
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x7c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5248
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5352
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=2092,i,10676471196188170679,6769197691600829938,131072 /prefetch:8
    3⤵
    PID:5572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=2092,i,10676471196188170679,6769197691600829938,131072 /prefetch:8
    3⤵
    PID:3344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=2092,i,10676471196188170679,6769197691600829938,131072 /prefetch:8
    3⤵
    PID:5932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4120 --field-trial-handle=2092,i,10676471196188170679,6769197691600829938,131072 /prefetch:8
    3⤵
    PID:6088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4912 --field-trial-handle=2092,i,10676471196188170679,6769197691600829938,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5656

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1312

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:912

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2484

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1124

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3392

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2012

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3636

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4280

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:112

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2536
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1728
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
652acf7bf069823a25e4f80586ee53e0

SHA1
9099ed89a9bf67e815c6d9d2f360eafdf015bd10

SHA256
fe3d620ff2895e076e194ef5452849684e69f1fa009f647d79c4ca5e6179916f

SHA512
c5c68417e31503c77d321914dde206cfe4c5b403d63f49116c6fd941b2a7e72b986f03a3fcf399bbb671e5d09ad2e3c171cc604ccf64cf46bf91a323b4c3f8b5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
46aca5b2949f41847403701152281bd5

SHA1
1a766d33e215372c6b980dfc24dbfde6117bf1ae

SHA256
a8c831f0177d33d8f9a7361e76e7ec74d0077a938cb7b5841a135e709a190aa0

SHA512
e8689e3408e45efb0241e8e04eb832f0d84f191e877c5bcdc5a35acf46f99b5c95b0fd15f25a18cefb68256446938e5ba4ced83b680dc67f48ddc93d6c5e36cf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
9a08660725448da97ce0cd9b97396604

SHA1
8cea2bd2d4b23de46e4d0355312e09e82818d1e9

SHA256
530c51006bb14d7e46542d30f09a01e8a5fa8289783e053598715a6d4ec02789

SHA512
3b2ef42b1943cd04dd12ff34ff8f53486efd0b2a2532a251f08748042c850b516d818c1a336f616f8fa988d346f754acf24f6e5c9410fec9fec5effbad875ae4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
baba3b35225f4ff7f40e378b8cd9886e

SHA1
499444015d5dfacf3e3740ccd9be4d83460f9cda

SHA256
992f30d516105c1f0bcf493d1963c22bac740c6559ddea4fe8279745889fa314

SHA512
684b7a0c4aade0f05f9636d37cd5f67cf4d86644937316ab24540ed82fb28d45487914144f492c9fa8430cda2c72af6d911911176857b6a9e3db1c962f1b608a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d63f5b06c809240b75f79bc9a7d1d0c0

SHA1
d35eaf61b65b34c18bebbc667a9fc6fe592547f9

SHA256
4f23ba962a04f16ee4e651adf12b845f39b8fa8d35452e0e430e000acfbbbb6a

SHA512
2e1165e684bab2d4bfc44aa453714f77c0129784708d2b971055d36b59f469331cfdd71c022df32fe0f13ddcb818e8f495c5a4a40a06c53ff5c10fa5d1931892

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f0fab5f528e0006c1eee86b1e0edd9e1

SHA1
cb90926b9a47af26a9bcda77c2d475e1b62e50e5

SHA256
e864295c1a6cfcc0f7b602ca04eec82e72ccb3484465c5c4f83e0843715a6456

SHA512
9fafc9234cc9b41bfd613f64bcf02711e46ad221a96d528cd4e0d7f4b7186ac0a0e48081a2c09f108d098461747125c4965452f579ffe7afbdbc2cf699b8c6dc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5024844616ee7099152480f7d31740e2

SHA1
0df0430976a729d034f5a460adb720cd4a4fda7d

SHA256
0fe69d44e5bcfc0e019d950493691f40827c8943eb4133329702c09d54bb5d3f

SHA512
e80e5fdd97c725257e16861fd70cb24696db27db6aef34331b6c20b05cb75a98df3d2954665ab822b289f5f4179e0ab9ef33fbdcb3098dd52ffcbdd343056b4b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
40f0fc7b6cc5be2092370c54f877999d

SHA1
5545cea28c69c6e033eeedbfcc57e1e4e7465903

SHA256
a6c278c12ecb3b5c7be172754ca805fae9f5869132f1c6273e85c6db3f683312

SHA512
9627c66ece446c347892f58c898478f817b6b32f5e7008e630c0b00a84821e24381a6e5f336d3da1b25d8dfe9b1729c2334e2f3efcccc4bfd839c8346bc8ffce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
072b56b22565adbb45aa5b0b082e6b23

SHA1
81b8a69a990f62a29f7546985b25466cb5778345

SHA256
fd08a360aecbd05887c8bf2fbffc5f0ad250e2f040ee7ba550cdbd543737d8b6

SHA512
1320aa6156cba6f39f9212ff6c8b762814ba9474f52437f43e4df3a1d7abc6b5c3215e8b8c41d2b160ee1aad1cda23d43edda9f1620f780c99df4a91dda2a6b3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
218b258c96563e14b480e1a7e99b18f4

SHA1
246d22056a479a6d31998b5c042ef2c1461c688a

SHA256
0cd7e04bcf6371597d590bf61b14cf1c05781ad0bc918d3c2d28e28d49887a24

SHA512
735e0065841359f78ee5fcf43530e59518e3dd398a285614ef5b1625e7f59dcdc625ea2afde38186d00f5c38e857e6816a9303960fc22d9bcf30eb7c2231b891

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fac09d04e17ff3f0ab537e81de40bbf5

SHA1
30977eea2d954b1cd48659995c538e64a1feb007

SHA256
26a78fa5d07355e35c63fbc95199a2d109c18205d9d36d04aa4b2d4aa675b224

SHA512
4e9350777fef9df2a0f25a446ca10a2fc1d6ca5438cbbd7d35478e1c73af69c1a00670a62dff033f6255f8bf716e7311bcff0bca23485c56cfaad554736fc8c2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
39fcbce8cab40d204805829680118578

SHA1
659bc88e7529b110bcfc721c9eed04cbc64d5324

SHA256
7b33bea53527094152f38de04ed3548230ad4ff91fb92aad374a6cb5f2546cb6

SHA512
9664b5b3572a6e44e4e0d681b50d3f8c39195aba74398de4a25f03011251c65830d068b84dbfa391909d3129d335512c9535691fa65307b57c970d12a07cc607

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
287ca135cd980dc7cc2f9a49e7004f9e

SHA1
2835aedab71b13b9f76de94efb6fce16684247fb

SHA256
430eae0598f02c8a8faf6e94ad2c7ea449efb1068bd2f5077359db2041e63ba7

SHA512
ddafeea43d12d1e0a59f26cbd09450e945bd1d18846c765a7133e4180fd7e134794135c84f320861cd0053383c03a83d5855d69e73e12194d394d1f792f4c26a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
f597ea1c2639d2d1e1c60fcdcd00a8d8

SHA1
3d4244969d1144776c4f2406a50ecbaf00d084b8

SHA256
a903484e685a7500963952f05426f5701317c4d05b3fe51c2af041ff9a6b7cb3

SHA512
aa0b0461694bb1c2012847b830bcfb23755c34ae01c43017943ee0b5eb850adf8e03ef0a3e0d5ab3298e0b833e7fa499b2ba2faabb49b5a6485a9ff68025f9c5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
737618d8a1fbf267d13cf3404f5ad7c3

SHA1
fe22dfff11909b77411e4a450559c0924a04d19e

SHA256
225292b2fff13707b1476afed4d7462e0eec44ba1626ed0ddfed6a45673710a2

SHA512
20b9505d65009258908c547ddacbbc7e5350f96f1303e9f723cb894688d2a4ee13ae41215ed59eef5a966563adfab95e59aae400eb99e17611c0e1bf0b3768f8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c49cdc0a10deb524d9f91b2d86019adf

SHA1
e3e6d1631be31f4d6c4d1673f9b059c7eee098a5

SHA256
4f12f04b9dd7dde3cdf6d9594f618f083c759be20d02ea94a6705f4b27ce6909

SHA512
b3f216bec0c4aa0ed6a61fa91b1ad1ae278184f6b044177507636398f1702ae7a7e7f583dac0bf5e13e4019ebfbb5ae36252f78b7a88dbc4e098bb274c3eeaa0

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\93b6b3b1-e994-4180-a23d-6bf8b5b59d55.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
465308efa5cbc30f1a25deb5761f23bf

SHA1
1da2838c9b75d3f8cd503f3b9cc85c01ac4b7d37

SHA256
8b262765dba2f6ace9dd78bf80370d4598b0ef5f655933439eb336bdfe313dfd

SHA512
49d0e7f52fb0454969dda67064bc995eb95e6634f46ee8f55b5d90dedc97fa7a771d194e0cea022c60961adbb12e1deaac63d44863629349ec57a3301710dc91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
db4b901a9125052424a121b9d0c64480

SHA1
cd0736e23f3c5e8cc85e585b160d7020d285439f

SHA256
ed80c8ca54e147cf6cd4d402c83ed3126bff2fb15fb5dd616efeb29dd69ee966

SHA512
69d243de2049c1fa4509e6a62ccde00b233826a4fa46b5b2ba017214046549e221f79ed581b22befdeafcc98472a8eb3b12ba772668fca523a14bc8a084a3a01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
05d340292c8a8c952ef60ce888cf319f

SHA1
58c6d8538ddbb7959f55cd51c028ee71fc16d2ed

SHA256
e84e84183311acc1e667d13681ede00c3af1dffe20ee10ee0cd657b10b14399b

SHA512
a3c19c562b4fa7acde3cc5536d3c1c5a9918a170267e3d03af5e508b806a7375bbdb92b1b6929113eaeebb0c220e3bb3fea1c2b60311fbeca229de2173a03348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2219afea2038ba89ee172742ae0dece8

SHA1
9f03e127186d3bb629f545c2ffabb99165422f19

SHA256
999dce6344a053507b39e2cb85b49f27c31e5ef6b965b3e31250bd897a327d32

SHA512
7c6f1ab30ef355b08c17e9ec1fc6126e523f08295d3444f7fac5cd777c7ad2c7ddc0a661e8767db9fd674dc5f12e30497db70454d33c83dfbbaa5ba8885950f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5778ca.TMP

Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
2df28d43561bc3a9cb2ebe2d35d31ccf

SHA1
1e8eabfbc3b2a36073dc23189e53cd255e439496

SHA256
75cbcf03e8539629c12fc3e8b5600af90237b5488c4356cf8731ab283cb67c4a

SHA512
6aa7e1e0ded3e3cca6ca69b3af575fc1c320a6dd0e67f8ceffbea02c87c2d83627983690b6daf8ca8839c3486d99be6247f152ca107798ddc0890019cec1b67b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
4c8231ca52caf37d79faa61442f14bde

SHA1
61ab502aa998ce54a2970315e9ba4052989d0750

SHA256
b3a26973484ce9dee764c5a5141f665213c6ba8fcb7622a30f2028601465d550

SHA512
ac53f491e47aa96e7150a4304030627c63b7a932308bf5d49895febdd68eefed6a9e1ab6b243f9412b1a85a2a01e1e1573b0b43c0870fc659229859e58b693e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
de9e687956f077ccbfc7708b6677dac9

SHA1
b3fd4049a55329173eac9c3b8aabc505c77e1e2f

SHA256
cc9df02f63fb3e4d5bccd948359bf24a5c415924e316106d4364ea63c67fed58

SHA512
92c31f3c15f6d2e3d590b40fddf655ee751e60a28289f2d47c7427f48ce1db3b46dc1e19c24d3616bafc2d1fe95607211fe3bc6cd299787193eb9e367e564a28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57ee29.TMP

Filesize
88KB

MD5
45dfb36fadc09a15dd83f364bfd9f472

SHA1
baf9e1569d81047bcb8b2a1711672d14c3fe4dbd

SHA256
915123646cf0f0d20efc7a63f0074934f2d4532203903d6f029e655b668ade0f

SHA512
eb56330ea4e6df3cc164eee23f63498c1437eff35269f715a96a21b08738f41e2ffc470b93b12e4d5682912f3793657303729074c482167adb2398bb2f6607ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
cea4813ba12b7e40e1744c4c094941b1

SHA1
db49f14841ce2a2197cd2902d40ed21ee359ccdd

SHA256
459028c0ee2435bcede6ad2ae2ea5637513cd79a05a0374db58441470430d078

SHA512
84feec1e5b5fce9485cee7467151c066febf86c764bdf67a6ed971c71b58adfe9017013f14f72561b49aa8b2cd2ad7251ead5775545a2487bcd529ed2635323f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
38757436ae6a24f852890900b4ec59cf

SHA1
b4ca5b3bf5490836ef8f81797b61806c14060053

SHA256
0e7f1542db92a2dd6f014c0cfaa8b12f270d7d8c1192acb412254bd4807321f1

SHA512
a50e0e2f3c6f4fc636d04720d97610835dc320e5a5349d0522a160e569d3a4bb1f1c9b579b2236b45b38627a4bf5502a1e3e82681ca6bb9f370a58bebf852d2b

Download Submit
C:\Users\Admin\AppData\Roaming\969d702dc3136770.bin

Filesize
12KB

MD5
e2d530540b9f4f4d859aa35492b71fbd

SHA1
2b821e98c7b47f4d2ed4255bc2c727b731aa1b6f

SHA256
3b9f6d571200d10961a537d02d59daaa999f2f497c90c9c8cdfb9f36b6fc6762

SHA512
e8510c4639b33fe214c40afb8d14fe10db0aecb8ce8665d798b0b4411dfa1d1401edd5f04de75c388b6afe34414b22daba69b30e0299556097ebdf815ef91a10

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c2c33146d16957efffadedd45c4752c7

SHA1
0d2c4cfebde1467776545ab830ef5dac19e793be

SHA256
822406222d8d2d505b336cf4b0bcbbb8904f3ef6661f1d6999fa7905c6acea8a

SHA512
64e8d044b32eb570a65db20c42b254932ab35c6dd2ff7d656866e4cab4b1819d0e2666ea37c7b4f743afab94470a0dc7b8a12aafaf43f5c4e774d7fef179e9de

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6a3f93a88e4bbbf97f9bcead20fb8243

SHA1
f83907e52b4a7894244b369d2b6356f7d28b6c38

SHA256
207be24bb4156579523e0a8380a8426c7d6296a1884942b8bb3ff30b4b6c1dcb

SHA512
ff7cc10459ec505455786ef5997925816c6ea1e0d9da8ada159b138a9d975f3e88b50a2d8f9c5a2ff5ce3d0209e2547127865c7a5a63af7fbdcb0957d7b1dba7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e9c1005b3cdbcf65a6e89c16a9c2612e

SHA1
02d77382b8308aab8d1c9e9514a437db4dec09dd

SHA256
fc27641611dedb2ad673a94a923324ce347c0f509ff2ed05bc82a4d65657d5fe

SHA512
1d9893675535c73fbfc7ab7f88bb95ff6bbf6cf65f81fb3cd42c1e4c16bf8d5b23c3139e75e21a60577a9022d3f03b62f8888127f446f5a43c853312e7b37fe6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
45b6fdbb13d18647b5d7ccac22165010

SHA1
ad01a0f4107ef5c5bcd08614d500deeb936ad223

SHA256
dbdcc602d3563403408e4b67b33b27f3ffd6f5e77bf5044127a78eb86742a1d9

SHA512
d2731498387c01ec47d14a574b7027fa8fc082da8f47fef2dffa74b3205e42755359803fd3e68b6c3305708ebea90e759b90ff1e05a338a152dc0b64848d245d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
96f881274302bb40dbec825e80b42656

SHA1
5bd611f85144fb60dbdd3c36bfc051192e60e2fe

SHA256
84a4b2fce8fc85c6d2665926c49de644ccf22fe04793c8e7f70ff908b7efd2d5

SHA512
fcb8471b33f2003be89cbdf078c6f98e4abcc576c46208c05c3ae335ea5ac0e061cbd0b040e8967ef4e226e0faf2441345522306278a1db55a9fbe3b055996b4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
8680e0e79298dd52ddbbcb68d24b7ce2

SHA1
d9de333a848fa610bdc2de788ec15e1d64ee0863

SHA256
b58458ad191b0eef1ead86a43716d15f67cea90a7d04ac42153bb49a135d764c

SHA512
81594c6d28cf06d90c4343b0efa7a7179495406b4e5477684d7819d757a0d024038cb126fd46d0cd205969eba510f3344cf8b8ebfbceccede848f24be8d4bda0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e7d2da03d4d8f713504c50ded7b77c67

SHA1
4a3ce17b76af28d8ef5984c6b6881eff860965ec

SHA256
0bea08646083449e246dd775f99836568e374e94112e4e34da60811b5271abc6

SHA512
9a3ecbabc136e01a50efa97d358883668df1537b89790bb2f3a22b3b40bd8f280b2c185f73ddf3216c184d3d5ab3401c8403f1c4cb2888953ceadb194ab18fce

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
33fd9e27620ce7c4d71de57f71f7ff6f

SHA1
3e7064c107311283b1d6fe5e7b268bd8a1855636

SHA256
cc9f6aa7e3dc27e3e0a87aff0a85bed5f08ec477f912d4085e59dbc16b83742e

SHA512
9d6c2d753c87a0a517f5889b53c1f551c5e8fcc2131265028488c5e37d24957405e9eb0d399016ce5a7442ea841d8e8b4560cd06116fbc53e51e2c9ebf2abec6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1bbefb9cb6e51bec72b7d40f41f8d416

SHA1
6d7b02b13e1297bfaf691aacc48e656abf2c5950

SHA256
a1d8778e9fd796edbcc3fa8829b14819e9e8c4fc344db6fda43d9e0bf7b9e96c

SHA512
ef0d4e796008188732f1fb7b7e4830ec4c162cdaeb45eb479980a9e831ed214e8762c66292a7bd0d96b1238d7c01a112277b713c3b8206bd7494d52120f5517c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
536c006197584b46a817328ac3494336

SHA1
b8d30a123b0dd7341cea38b713fb44e6cf5d267e

SHA256
83335021d262c8aca9e839ab8d7f4702829b4570d1aaec4eedb984e4ae6d62ad

SHA512
8e7e005d2eb583c7f6f7c7f4a865b0b940976eef35c218e77c039a92a67ed90b21567a3820254cc56824dce7c7e9e96b0908f97213a210f109e250f8d9828bd9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
dfd694852146f72b8fc02491ba0d9f11

SHA1
f14e0b26e4113b512d44234ceb4e9f7dabbcbb50

SHA256
905a0a2c287df4683e7386ba3fa56c33d4393f51b79b00fe34ffa66cdf3733b6

SHA512
591ff9bd8f8625518ecffd14200da5abaa5eba958936f4fd85ee6dcca9e4b943613ad11970c012ca6f2bb38ec890702bf0ff49f782af6e7345b6e50b3b3eadc0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3a2226b904085b6834fd90168746e86a

SHA1
a23e86b4233c41252db054b0767646265e9e5245

SHA256
49ceaf92e9fbbb9f4871e44e3fd8e6c6b574f33078b13d2ef2e2879b78dee814

SHA512
4e7e663bb3836536011559fb4dac2d31853c0b4fb22e95e599288eb222872dc242d801cdc76708c79601ffa9595b1f1048c504acaede887c0934f63df01f34dd

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e6a04f873a14e11999d721364f71dca2

SHA1
e4a248626fd1645590a2698ceee83c277e084419

SHA256
8c868a6ef4ff2e41f8ded1118d4bae6d43205c8d3a7b0e2af3f42545ba779044

SHA512
62e0a571e458958617d2c3c04fea55cd9e60670719d78e5f8a8e5b4e6c6845cbdec543b7b923789ae4de56e19f9b31c3d5f8a23d23aab0a09450892b084c753e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c179f6c2de344561ab67d7b78a930471

SHA1
19da212e217dec9ca719f7f8afb7a1c4d1dda7cc

SHA256
9b51c34684afcdfa8122395d6e31854373eaf64587309f4623853c5f5769e5a5

SHA512
6f25fe8d6a61a2b049471ff0ccfa061cdb73578e5de0ef329de26b36b2d75720b9c98c8919e1b4addfe30d25fbc7fd2467d2ff5fd5aa32dd32c784cc1b4cdbb0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
117791ec73ec09c42a7ad2b33b2721d4

SHA1
b32b0c3482bdc3fdc86037628280cab0d42358b9

SHA256
b11393efbcabe4962c888ea42e174de36360e146439c4578e664d7801a8e3a54

SHA512
1b8d29df0ffbc3ae4b29a25a226054165c9b8f26865a8da62e42f5e9710f159886172bed0803ad4ee256f2c4249cfccaf2466abd6613b994b0c9d06cecd1b577

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
dee5ba997133e7561e9c3aac2b68c364

SHA1
c15f385453ab30794ad6c501084d1a99fb50be66

SHA256
754580bf8fdb22ed25fab51210044b15b6d3433ce10be04fba5fa8b645f35cc9

SHA512
bb9f7d0634caf18d2c01512f7aaadd1e02e96cc85ee30149f31f92ccd26a46ed69331b74243375a215b5efcbea4b54bde48969285a8463a6647760ac8c70c216

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
848bee164abc68775a77b6d9b53fcc73

SHA1
007ba574cab515a6dee4abb64628ec55fb33f74d

SHA256
93e09aa1dcac08bb5c86e42a6e7c81422d9436e48b78a002ce3fd1f73d5bf60f

SHA512
74c3f57164ec1168efdcfc025c93197b8cdc853e4b27fbee4498b324ce76bbca3ad73b65f00edb26055a35bde7bb71cc4f394f6e3cb27ce092f747a028c156e2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f2c75247d221d09fd60e44432c9bcf38

SHA1
2f4b63da0f64c54519a0f4c592d6e5ddbad2cc73

SHA256
f69a8778f2947c49f78de48f427acb530a20c7b5bd1b6abc1db1c245f80b19e9

SHA512
c00420f2d5b19aa929c98d995cf849107e28bbc69839098ee522b7cd5b08ff9d64c51c8a9527f55b6dc5e6ef4fdccc0c755d55bf67a61e68b6f924f5557590d0

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6108d802cf75abd23003f71341a66085

SHA1
03e78a62cc784967dc156dabfab217c159e5aab4

SHA256
1adae225a03fd6937716726e706e43dca8787ee70c25f7484d62ea3dab39b49c

SHA512
3b4ba7c2da0c00156f927441dac062d45c400ae43a38116494f53c87feb0fcf6a084e259ab91919617f17e43f2e8f806cf53c1c65d6fae9177e39d178a8a9763

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
71cc19781e3616bd427490a74c9c758a

SHA1
059f07eadce7f8b2b17ca299caddb34e6fbddb4a

SHA256
eb9983fc7953a728e8b54e3456eb807335cf2ee597ae2cdf6cca37342746b5f7

SHA512
479db16707b0adc51385b65cab68137d9b3bf2694499b18d4cbb1f64e04636ae84fc2220e04cc266ecc475a18483b45b19304ec13b2c66fce0375e86d215e6ec

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
d51eece70148d461318cfd5238541066

SHA1
fee189840f7afb923bb9d9a9e2124e8622aafd37

SHA256
05aa0662ee2d982b2d42ad2f481ce96835e70c8af1d206948ef7b4d13ca84c1e

SHA512
dadd9c4380f15997c4ed84ed73c8c3721f3ee7e987287405126189508d9403e0ecdf468a4ce3e68a1b135aa1dccbd7215cae049c516c146c5dd9b76afa315083

Download Submit
memory/112-226-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/112-595-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/456-449-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/456-206-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/872-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/872-51-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/872-57-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/872-164-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1000-213-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1000-586-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1124-212-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1124-92-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1140-28-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1140-0-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1140-9-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1140-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1200-118-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1200-12-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1200-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1200-21-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1312-27-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1312-158-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1556-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2012-160-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2012-409-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2484-204-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2484-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2484-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2484-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2536-598-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2536-75-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2536-81-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2536-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2536-230-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2536-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2536-86-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2552-106-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2552-95-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2552-100-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2552-216-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2872-594-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2872-222-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3392-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3392-553-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3636-416-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3636-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3912-589-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3912-217-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4052-229-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4052-151-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4300-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4300-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4652-224-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4652-141-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4740-44-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4740-34-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4740-45-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5032-119-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5032-220-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5056-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5056-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5132-493-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5132-412-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5248-599-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5248-423-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5352-480-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5352-439-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5420-452-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5420-604-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download