815807b938cdfbbf351f6c50d1ab1f74fa9aaeb7ae61b96e0b405165be80e6be

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 16:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
Size

5.5MB
MD5

a0c753c50ebf462644db1efb7c6dc297
SHA1

d46bd93c821aaa5e6539bd0c9ae212d2ad752c6e
SHA256

815807b938cdfbbf351f6c50d1ab1f74fa9aaeb7ae61b96e0b405165be80e6be
SHA512

0ca7dc257619e99f9ddceea6bfa3680505651ab28164c835912354c65dd5f60ad2764b5fbd21af3ae9129d8ad967caacc579cbf511f021c1608cbbda6085a3e5
SSDEEP

49152:FEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGf5:ZAI5pAdV9n9tbnR1VgBVmKdM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2576	alg.exe
2020	DiagnosticsHub.StandardCollector.Service.exe
3308	fxssvc.exe
2772	elevation_service.exe
1852	elevation_service.exe
636	maintenanceservice.exe
2448	msdtc.exe
4348	OSE.EXE
3640	PerceptionSimulationService.exe
4424	perfhost.exe
3632	locator.exe
428	SensorDataService.exe
3356	snmptrap.exe
4552	spectrum.exe
4600	ssh-agent.exe
5236	TieringEngineService.exe
5312	AgentService.exe
5520	vds.exe
5584	vssvc.exe
5712	wbengine.exe
5820	WmiApSrv.exe
5936	SearchIndexer.exe
6140	chrmstp.exe
5760	chrmstp.exe
5964	chrmstp.exe
4744	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2c7d5388c3a5208d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020c68fdd0ecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f044ddd0ecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e7b43dd0ecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b1922dd0ecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5ed77dd0ecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010b29bdd0ecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000741660dd0ecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2620	chrome.exe
2620	chrome.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2196	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
2020	DiagnosticsHub.StandardCollector.Service.exe
2020	DiagnosticsHub.StandardCollector.Service.exe
2020	DiagnosticsHub.StandardCollector.Service.exe
2020	DiagnosticsHub.StandardCollector.Service.exe
2020	DiagnosticsHub.StandardCollector.Service.exe
2020	DiagnosticsHub.StandardCollector.Service.exe
2020	DiagnosticsHub.StandardCollector.Service.exe
2428	chrome.exe
2428	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2568	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
Token: SeAuditPrivilege	3308	fxssvc.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeCreatePagefilePrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeCreatePagefilePrivilege	2620	chrome.exe
Token: SeRestorePrivilege	5236	TieringEngineService.exe
Token: SeManageVolumePrivilege	5236	TieringEngineService.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeCreatePagefilePrivilege	2620	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5312	AgentService.exe
Token: SeBackupPrivilege	5584	vssvc.exe
Token: SeRestorePrivilege	5584	vssvc.exe
Token: SeAuditPrivilege	5584	vssvc.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeCreatePagefilePrivilege	2620	chrome.exe
Token: SeBackupPrivilege	5712	wbengine.exe
Token: SeRestorePrivilege	5712	wbengine.exe
Token: SeSecurityPrivilege	5712	wbengine.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeCreatePagefilePrivilege	2620	chrome.exe
Token: 33	5936	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5936	SearchIndexer.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeCreatePagefilePrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeCreatePagefilePrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeCreatePagefilePrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeCreatePagefilePrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeCreatePagefilePrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeCreatePagefilePrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeCreatePagefilePrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeCreatePagefilePrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
5964	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2196	2568	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe	88
PID 2568 wrote to memory of 2196	2568	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe	88
PID 2568 wrote to memory of 2620	2568	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe	91
PID 2568 wrote to memory of 2620	2568	2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe	91
PID 2620 wrote to memory of 2736	2620	chrome.exe	92
PID 2620 wrote to memory of 2736	2620	chrome.exe	92
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 4372	2620	chrome.exe	97
PID 2620 wrote to memory of 2008	2620	chrome.exe	98
PID 2620 wrote to memory of 2008	2620	chrome.exe	98
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99
PID 2620 wrote to memory of 3392	2620	chrome.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-30_a0c753c50ebf462644db1efb7c6dc297_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7648ab58,0x7fff7648ab68,0x7fff7648ab78
    3⤵
    PID:2736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1924,i,5175434632088453922,15734696547007861678,131072 /prefetch:2
    3⤵
    PID:4372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1924,i,5175434632088453922,15734696547007861678,131072 /prefetch:8
    3⤵
    PID:2008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2116 --field-trial-handle=1924,i,5175434632088453922,15734696547007861678,131072 /prefetch:8
    3⤵
    PID:3392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1924,i,5175434632088453922,15734696547007861678,131072 /prefetch:1
    3⤵
    PID:3444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1924,i,5175434632088453922,15734696547007861678,131072 /prefetch:1
    3⤵
    PID:3212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4248 --field-trial-handle=1924,i,5175434632088453922,15734696547007861678,131072 /prefetch:1
    3⤵
    PID:1084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4452 --field-trial-handle=1924,i,5175434632088453922,15734696547007861678,131072 /prefetch:8
    3⤵
    PID:4428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=1924,i,5175434632088453922,15734696547007861678,131072 /prefetch:8
    3⤵
    PID:4520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1924,i,5175434632088453922,15734696547007861678,131072 /prefetch:8
    3⤵
    PID:5620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1924,i,5175434632088453922,15734696547007861678,131072 /prefetch:8
    3⤵
    PID:5904
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:6140
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5760
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5964
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:4744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1924,i,5175434632088453922,15734696547007861678,131072 /prefetch:8
    3⤵
    PID:1356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=212 --field-trial-handle=1924,i,5175434632088453922,15734696547007861678,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2428

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2160

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1852

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:636

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2448

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3640

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3632

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:428

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4552

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1704

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5236

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5312

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5584

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5712

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5820

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5936
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5396
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4372,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:8
1⤵
PID:5692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
35fb1fa9b65e02ad2f637601c7a56e08

SHA1
d1fadb7f16d24af00c0c05340c281d4f3e725797

SHA256
2fae3ed425e2c0b7ad77bbe60306b25a538c9808813c059663b91dc27fe64c80

SHA512
4284e3a95386a81c4a095c3c0502871988e35bc778e62b8b04ae8ef50f06ad712d15222ff45712aeb114772b8b38fb4523e32420a461103c01c3bf49ca9615ca

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
549e5c5facef55d72beb1fbc89964e76

SHA1
d413f61911ce2264ef1eda6af9e47c3fcb141d36

SHA256
67a9097f038ee007022ccde260deb87da2065f0d7719e4966c7c073d3f7d42a8

SHA512
1e9744f3519fd65d3d9992dc8ba6efc6575a4254ec18df04646e67f7b7c64a02fa7bb97a605ecd794de998319c5851d208ec083ac76516b6afdad0ae4af3becb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e55f4eda81356f5d78b0a220cd1276b4

SHA1
ad1ca59f0ff7697d43018e5ad100cc1b278c7365

SHA256
8ebf8a2ef5d78eab75cce9865e1dfdd971ebe07632721cd431e587a8ad285819

SHA512
0ab439b1587318fbbe2ec42ad56f405a6bf047a858bb8a550a661ad9aa6e27bfa9b3b420ef48b9c62b993d4aaa680ed92222260eee78d13d43af80ae784cde02

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
aaf325aee7eeb4408368c4101539238e

SHA1
ffa993f7ccf397e1139567de3babdcc7ce758071

SHA256
585bd7cae2a32e329d93bd187c34d9bda7168e0cc6fecfbf3807d68f9f62cb64

SHA512
ce664f061573bf60be11a8baa4a12e6948a605bf3e83681d0ff7a2abfae9afc054c55ded87b15f2c64902d166bd56877b56e1191780010111c8d4bec0907fde1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
576a5923722ce06b0cf5022757a4c57f

SHA1
011ada7a3761ad8fdab313f61521cf8a90286bf7

SHA256
6bf36525d21f3faead80bd19bca51929c45ae126ddd2cb7e4314a3827e825d43

SHA512
cb434c3519ffdcc2ab2b7ccef463c16b537077ba5b8e4fa0dbe200e2d93f61c301ecf90d273939b0d294b6f36dc4dfa02cecfd28ea1779fc31ec93fba0ef2255

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
d00be6ef62721a1c746d98e168e281df

SHA1
613ce5924227af1f8065fe70a00c6a48bf502b3c

SHA256
94fd7629b04b1d0c90f59c0029e2e8d4474e3df0cc597601f2f0bb3e7b44f28d

SHA512
32166b1d3e93fd0fcd593081ec57339df2ce94f0c7b1e325218858ffcc80bce0dc326097d7f71b043c7c767e3b9860d5f4b5aa26928333756bda43d999211e9b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
0c13d6f26bcce5ca768f459d48cdf189

SHA1
9f3431ee416c181309bc7d2c7cf2c0972c6bfb71

SHA256
c157157cbbbe6e83f966abe3aa9647846166992e1d936eaf70aab518aa09652e

SHA512
38c489e6cd7de605c10c15c6566cfece75830213d09fa346bd03e5d365e55ed9386da9b8026b02582d7689116d56ef8be65de027f8efa025257e4ec2593e70d7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2cee831732eae121923184fff42089f1

SHA1
7f56713edfb6435b82bee63cca9e8d73385595de

SHA256
85cac6046bdf750464caeb7dc709030782fa39e922222163f68ebf0e4d2cb838

SHA512
85152de7a9095bbda456de4d02df28081ac433ef39f275c7104c6cd10500983fc3e257b66d23fef834052cd132d5ebe0d445df9aef4f15422c07e463c7518400

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
6c3134a0debd8ed6b0c323b845b2d53c

SHA1
aaa6126f6344c6093352cbb9f8d3563a96ed5c1b

SHA256
37732d81185b4665c39ae7061c8e5ce7f7692c14ffa871e3ebdbc72e2f7edd38

SHA512
9604ccc36ea91535af46ac7053af0d181e1a428ae3bbffada9e851d09eebc4f6b5d48764196e3af6c2d9815f7f6017d81a7834cb5772c3cd480be69500b3b491

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b89ec3bad826e497711ad1de80f81342

SHA1
b3a4308141fef5c30d72820cb896664aea87683e

SHA256
8aaa073948d7a3f5e4b69cdef9d5171f3ca8de40eb2e78a2772181545d825080

SHA512
bbc1da3f562af12b500e3d15a7883e780b87cfe591c0e91838877a0452136fee36aee5a287124f053ae028101b51c2085ac4930efc61cbb41b1607838ba11dc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
71fa39f26c8d959058df969e3dfcb2ca

SHA1
65b692e7fdeeca7aca876f988f77cb3012a22f70

SHA256
64720c5123ed4785751bb21c934b5978c630742e0afbc8d30a64382a2427d739

SHA512
da382b45bbeda1f4ae213b569c38a47f3f2453e1d2a9d2ab0ad8c90a6ccd719a942505e290fb9a979e193700fc4f6bc1e5046bbc129801497eaa8f6eb0789a18

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7583171841a44c23b51bc7ddce1502ca

SHA1
3bebc4396780ef5aac54fa1299a4898803fc63f5

SHA256
aa36913b3e480349b1e9affe63163a1c92d3e51cc75d167c68c5c378aab01d16

SHA512
79a802437d5f232d9666c0544acc56a780e428d9b120019dbbcfbe597f9449ff93cd4c97ecbc8fdeeec392f8f25124340eb14319ad7f1a06ffadd32dd30e90e3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f0a0ad167c9ade82d5eabaa9a98446e8

SHA1
da70c49b5cd58ab8bee289c79e3664607a2bbf7c

SHA256
7cd832b36ea234eadd88b990624cbfe1a78d518211033bf7ba0552b680ee3b89

SHA512
850e1cc858967d2c2db0fdbe86d573dab265b78866838f8b9fe778e938f2b6d00c1cafa787c24110709eea3b4fcea96cea585c84e23f3d1f3c27045113999b65

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
dc291b12012d493092879c77d416efe6

SHA1
a3e5894b1e59dc887a22db62cbf98331c33f3a1a

SHA256
5c65ebe37a728e2a45aa66380e124da4746bed946db4ffeb73f8084b3b5b6f0f

SHA512
ba299f556540e48c86c70473121fd3bbe7ae82ce9f47173450d3c2e733ed2e98da97c1f61e3064f93f3f77f835cab7cd51c5a993e4bdc612e3b7d5d336a45826

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
be3231d2d722127b60a2faaa75be77f7

SHA1
c4dc4444269b6b36c08c84ff33e376e573f78516

SHA256
fe1e44e636cd3e555c5666d576b5588954a44a8152b09c375f0a8e4ce99f9ba4

SHA512
bc98c3885eed816bdc8030669cc248b176962430755be921ecefb0831336f5accf0a18720257f4f9fd26e2e2dd0331a198e10e27416e040b96aa7ac3c1c122cf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7e497e1327344b1be32e55dab98f7299

SHA1
32aa8c50e1a6319deac5b0454becf2bbebf4b8c4

SHA256
ccf94feeefb1c4d28919d5d3b40fdb317d360f091319768451d2e7cd53be750c

SHA512
554714015f491ef7b65b266ca0f88fea37bd612727853c6e2d0e3398757ba058a37d3070e108212fbe9669cad9594b1a5e9d7e062fb968f7c2260babeecfd310

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\ce7a8905-4286-42aa-bc01-bc3051cd60d2.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4a2574c54d6d47992257e6b7136fe5c2

SHA1
e2de28d1c26c9ffbb5e14e1d2645461f7fe2013b

SHA256
7a65f9eceba1a252e32b73700e0219f01ac2615e535bb83f9e770ba95c7485b5

SHA512
17e11e68cfe809eae842e4425d0c956dcbf3ae9f9f8111ec0456ca7cd92aa2de7ed48c0faf8d21a7e62227ba13adaf9ce2878575793919e954993b10e4acf098

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c1a7729ce4c4a92017dd5ec052729715

SHA1
d5653b0d214a664d86f8d19fc51a4534cbf19234

SHA256
7ba67ace8e81a354075bbb4aed2c7e5fd0d3c69408fb731a71eec4ebde792441

SHA512
46e02dcd9fd90dd33982c9f6ef0219a416b080d02686a7ee6f19d63f166738d716ff0deb1d6fa4231e3490b915c8593412aca5bb0f165554bd4ed8d48e390578

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
e646991f9b7863013f4543e5deea2d49

SHA1
7d3ab1c249b15c5bc5761baef819fa96b043539a

SHA256
0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07

SHA512
8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e7e9f21cdb1b45993493aeaffb677078

SHA1
698b267746d50d29d1fc8923a8fd5879e24dec57

SHA256
81b7f851803250c71ff2b344ae9e72fba199f54ac1d9998d014ed709c5e9e299

SHA512
41f62d3c38bcb0c537283730addb4553c1726885e497290c79783c8a8e443894c7fcbe30974952a3593e61cd145ae27d7dd5e9d18b3a7b51efbb8947f237c604

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
52b7dfa9146d4b007f7ba169cbbb55d0

SHA1
f79f6c068ad6e6082ff9c98934884115434d7933

SHA256
63831be5e5c0651e12390c8cf9141889a298649690ef1b0620e36b1772c4ee71

SHA512
6db9f03af8b3694a6fb71f7ee94b02b9538536f37b3bb05b8d7a0af42d9c73b44c6eea08e6fb14ccbd9a3299ec3f2ed7805496a772d77652d6e25c7d646ca728

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6bedc1e42afbd83c76a3f2eb3b11edd9

SHA1
a4751019b590a70e77ab5390a3070ee8e794f53d

SHA256
71b7265b1e194b74e5e07a508ad4fb890af0154649cf4be1ab54c97886ce3465

SHA512
38cfb78f86765a865a9c8b9d5afbc30bb3ac65e8c02eac35a8a5c150861f74acef7c7fd93c2422c3615e501ff8090e058095330afa89715da0d32dd8b132ffaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5808f4.TMP

Filesize
2KB

MD5
c4d12c24a85b7e1aaf85cad983fe7610

SHA1
00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb

SHA256
6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337

SHA512
0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
8068f2db264aa05fc4399702c5ffd449

SHA1
5978566e7fc7e04c91dea38ba6e745f52db32492

SHA256
e173f8ca7c4d6f5f1d9335a53385dadc4d4eb83e2b0c30993bbe51981a41c385

SHA512
221eb2a71be339bb2b8ea5d8beac8384c16afa5fa2bf758dbd381117553763906d4872bd38b333cf007b49bdc6b7b275fb2e52b5a0a1eb21d5011cdd885384cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
272KB

MD5
2bda256b813a0d0825088ac78f790d36

SHA1
0ee6090081d3f5f7d8ff4b2ebc858598f5b04584

SHA256
bcbd3b15daefbf6ad69f96dac969743a98318159b2ceae41bc6fae08915b7983

SHA512
441d836e54775972affb462cd972a38995a436705201ee45de6ae9c9669a2402d92d2620d53f9864928c3c0c54bef0688ee7d3642bbb99f41700fa57d087eafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
9e6cc259c815c7b49debd3fc92edf33a

SHA1
4cde49d00d0c08d0d685a3401d37d88df22009be

SHA256
91d12e4fc189ad45a1ffbb412bba94301bd9f3b43d1423f816c191b2d1507133

SHA512
e378f228c94d8e3d7beb722fadb9cc28a395e525f18ee144bd6ff5dcd2591a58a3ffbe38a54e59789f6ffadb0a74e1b30e0934e12c53184a63fde30e93fb8c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
3411bfc227e4046b81d7bbf9a0de2fd6

SHA1
f09dc1bbe7ad3dcd53b0b74af5f886a276de1e74

SHA256
677744dfc4e1e9591f7543226862cd6fe5084f27af681146d388508b2199854c

SHA512
5592220059df181c0907afd48d0e11304cbc21b0183d6573e1b2eb7c2b6d7f2ac71628257088ee1ff1b0e712f38f24996b61afc9473edbf574ed7bdc3699211f

Download Submit
C:\Users\Admin\AppData\Roaming\2c7d5388c3a5208d.bin

Filesize
12KB

MD5
f98da39398e916e09546b0fb68b134c6

SHA1
e97496aebfd3daa99361dff557f4422929be6083

SHA256
b7fadef4bed55b52b6adb466cc9801464204c3dba52b5d62a8d113872febae9f

SHA512
d383bfe4018596e3541939fec1cf0fcaea2ae8e900b2d5201885dae61e5acbda053ec520873a2763da44008a213222a938b2ae376c8b0814df137785615ffe12

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
396eee3e7ab53f9a4d3a60855972cb48

SHA1
e8a550fe73c717e4b6df8c1e9bc62dc455973302

SHA256
7e16e82ccf9e85ff969936ce4f49be55d66110bf08eb5750aa4d361f0ce03859

SHA512
118cac9ed10fc2176eaa39beecba4fcd320a81159545057c0412db95a15c8be2227de5d97a258a8652235c9f798115f7724ca45b4d3ff800c8fa88539777de7e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7896b249e0278f757bba4d20f44a336d

SHA1
77b917fbc4ad3cbd1cca361506f3b296cb44aa03

SHA256
6b790f78c10d0d2fe0ebfda81039929fdf87246b67b84d83fe8145ccd1428452

SHA512
e9df2cce2ae2851b385a9e6ab40be41f2f25a9373306ea62d44fd11b39518b66cd743e918ff4122df181c8c5f70250ca9344ed82bf06d3bb2f341cb1f9766c92

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
dd79de821d170b699667328154fff392

SHA1
fda51ebe7f85fcc002f310180e26cf63f41a5d7e

SHA256
7f39d365c51c54d8b5e21f97eabff683d69919283ad4df700e71d289676fa96a

SHA512
6b90de1b871f65dce826cdd8e8ce2898f0401ae9387f97780eea47153a114620d41a4250975d3808cf186ead418ad950bc39aa0ffac401deffc121145bc42d55

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0346b0be096296c0d69577d20bf04f4f

SHA1
56b8686d4332f2d657c70026d4bbdfcaac876038

SHA256
60ae98d949f6ce3d87f038ed2b1c75843b1ab5a9e0dbc3216384143b56c7c637

SHA512
e6a3ae6b3ec07b8907e067a2b07c6ef62f10c1a20df3e48493b07565b3d253dd563b7954ee704141d4d8777156c25aa46351e30e40a8b0476db5967dd005e764

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a5d179593a2c45e8e46ec169b249b72a

SHA1
a3409289832732bd73e5b902d22d8d32a6bbed85

SHA256
b4cf09ab0a175fbccab932a43f7f2fedf9cdef365881234d74058f4b2fb0ce18

SHA512
ab1792301bc8b87130683e4784451dc4af99d033dd0a21c547b86fb8dbe1cda643effdc68a272249116b93762bbbdd715e8511a0ee63ce66664131f201a923fc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
1411b6f7e1313b56127c9a33f93eaa19

SHA1
203ec49bc40e6e44413ea9755d388a22bceff902

SHA256
4acd291207b61013db0bd085695e5f810d91e9781d1fcab5b7811a95270f379f

SHA512
ef3daa690ab1550cbdce9068f4f71e4f9d9f2ccd57b641115a6b976ef5d94030fac058839f4de478ef6c45e786f90c353bb8fdf92097c47db12a34732229a48a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4c200b07228ca0d675b9c8612836b36a

SHA1
55e29c8923843a0a92013f7f888ef9780bb363a2

SHA256
55ef97f4fbd9d8500ab0ef4261ab325a5bc6e3b222daf8ccc35525490c104160

SHA512
beaa2a97b6fe10c2726cc1a4f6bf38b29497d4afec3ff61624cdd53fd6f88579036327647ccd45dedf31a02e65fbee34fe5e25aa9008ead3886f00cf09f7ed1d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4ca0966b30f86affdd1054e3794f2863

SHA1
40c2086af0b7f79d0091b2c29c7d76e5762be500

SHA256
d39fcec9e99728a969a8b829adc1611229287233f991261eab0bf4b8be54f560

SHA512
88bd420daf43de6cd4766c0fdeee9ff54dea18a99f5b9996b611ac04e7fe9c0a8ff45b95507c22ccefbea911407a9abb905b38e2d6136e4aecfc0dfcb26a8fc8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
46bf2c7fa8f9032d3440939585367bca

SHA1
1ee0acfae2c28dc1958b9e519bc0bd9533b0f3df

SHA256
ba82f50150fde7b68025f9521048f8499ae4dc45d3ae9a55c6dbe8481870e3f1

SHA512
dd18ed88139897a78180686a31c065948151930d273f5978347c991579e1cb2e2ec5b95252f53fa3ccf210373786c743de88005fc8f0393f1534dda4cdf1ceaf

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8400296b57b2455d116b17155f5a292d

SHA1
944b81645eb6644bdc65e3a05adc99ee02cc33c4

SHA256
bdab3918f35475a755f5bdf561c243a3e2ce16bef0d0232259009d395236b977

SHA512
ab03fa3315edd3909bcb7f25af9d59c45a0a7b322efcf313018d2c7492693986a60ca8e59f2b92f885ea05f4edc2b0bddb3cf4fc2545080d52141dcf18c3977f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
882292f0c6729f782ccd8ecc9f148208

SHA1
0a1cd31a228321b685ea5e404a89e41d7b4b6c7f

SHA256
f3696d0022863ccb0f3534a4ea36a44615c566419daea11dbd70122d36d961af

SHA512
fcb06b0b5305996c48d5927b1698caad1f65c6612b57b360dfb98afabb262977203092af8887f48096df987f04271e1274d081996a47f6f2fcc09d57dae155c2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dcde6ac956b3ba032e63fb72d5514377

SHA1
4927e2c67f76ba3a618dad9265491377df474110

SHA256
8db9dec8faeceeb801cf4d76602b4a5c0a4c3353283fa4017332f5e9b6973357

SHA512
0796a36880e75dfe9ab99e42ff013c7ea9933095e4bb6d258582b9f686e70b1b58ee307cd1e42ceaaeca9f70ce8d05f2c075bfefb3f9f9d5c1b2e454ca336e96

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
15b7d81601c036cef5ae0bb4fa77d218

SHA1
92876dccd93418659b33a91694dda33fb1cb6e3c

SHA256
c1768a8efe30dfda0b975105377e47f64686d83735e7cf56f2f680419728303d

SHA512
21cf80b4e5a4e1d4bdab0703534d8715be12f59ce0cae8a856ab6595825686e8041d9c9c3c7b399474509866f04fe710bbf007868ac00b7b61922e370ba8b281

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c45b3942fadb08df8a982f82148663dd

SHA1
f56ebcb5648703a0b571802b236ab5ad74913a27

SHA256
45b6ee61027dfff4a951c6d986a288dccc70e582a55d32705efc29a2bc144d4b

SHA512
8b28d92c3f0fa573b1287efb6e4cab7bdb64d521029bddca46e9b75d4124bcadfbba4ab9b6b33b1c52dd970dc6a06de75eef665b6ffb6cf54aca1efee54703c1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8c6380f7274b66a73ff65e589b02ad26

SHA1
df32615eee6386bf98129596a456f5235401e909

SHA256
c2bdc66a3729213c72c4b62f9d4625d3e1e6891df3c58b7745558660c9fd0149

SHA512
69b0d121c159c206e2699618b4d3738a41c6669d0b1566cb7c946c5c20f01982bfb278f89b46817535f25484cf380c9171b98b7c0e37f40eb30b2e15f8e3c3c9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
564e8363bde2b6e72fc8384af2865252

SHA1
00b2f90c924eefe5d116146cd2603bef68b664ed

SHA256
2cce3fc82e92a1329b3823c45f59a64e892ffa2ea9c62ae7a9a1718b12ffe026

SHA512
a3b9f5d2e9f68b36a5a40d085b74419535129e2ac63fa5941c53909b58591487dca00a54fa29b20cad655c91cb5b0666ad49ca439f602faa1bd3269352042704

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
69e253e39b5889283a153fe7cd627e22

SHA1
ddf285dca1d1b47aef698afb462a7c218439990c

SHA256
ef2e1e35cfed4e61b174ea16d07c66e3b815aafe8d8330bd9cb2042897af3e32

SHA512
88bf91736b0b219de0fb6c31d025906bf4e16b57ded233fb50694e384ea0aafd177f488d680735aa09886887339fdf99c6f639b9cbd46f5b70190a588fe41bfc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5be72b3a6906c3064b1b1d7be7e01a97

SHA1
0bc561694d48702e978c9bf864a88167c6985156

SHA256
1c7097640b141db9e2c1a1756af778c06b13dca549bd37412b48d4e782e10b5d

SHA512
450ec7fcba4325aca8594966f548472097a018af4cced4996c6dff0513a251ad781f075fd1a4a2937fe9b8d076efd3d2b0eef18ba137710d107f390433477edd

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
de12892063f81f60b11c0497ec332fa7

SHA1
ccfa0530f55d277c3fe6d75260088ae08d5b7616

SHA256
afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae

SHA512
441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
523cc97b9df5831bc0e4985ae43c41c4

SHA1
9f8290b839f1e8bd7ac5b66dfcc18593155adff0

SHA256
6633e480508a967ace0f674ac8d964ae26d4341fb28d112b84f363918ec99e7e

SHA512
ff9cd0c3e1552c92655553d0c0a230c879d0a8d632abc4c79ca216f83f03defab8801ad062fccaa925f2631f0d3b0a2abbfa23d400365f121cd5b5f6fc3b6a41

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
3f102ef002f17c357c836a8eb4225469

SHA1
ec2fd9077d6d3f78bb88cb548b2e7e42af885c80

SHA256
9a68ecc30ab0a7a3b6b5bf838d9ce29cd597fd132ad71381d1a756af1d763f82

SHA512
354c052303f03096c5a3aa49305c95d68d1e7468416a30298a6c78852d6c4b21e73570d5029621719ab077b644e4248b8ffc82c7382006b341f57fe43f7a49d5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
2e3668007e84c77cdf6f48f9c761975e

SHA1
3cd919229b5a72c8a7633a1b1f5e2599b1446e26

SHA256
8d1be6b29f5ba0999ce33fb6af45ccd83d2a7a5ec9bb4e11a73eb1f3915cb730

SHA512
4d0ff15a6c4046228f55a987ff42e8f8e0cdd7bdf2bc724bb8c92a91c567e128661455f5481d70563c91e7812c94cd8ef629a688042bb542657167a52178cdd6

Download Submit
memory/428-167-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/428-525-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/636-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/636-93-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/636-103-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/636-91-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/636-105-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1852-207-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1852-72-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1852-65-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1852-66-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2020-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2020-165-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2020-40-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2020-31-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2196-22-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2196-17-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/2196-132-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2196-11-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/2448-102-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2448-216-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2568-27-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2568-6-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2568-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2568-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2568-37-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2576-133-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2576-24-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2772-144-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2772-59-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2772-52-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2772-53-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3308-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3308-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3356-168-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3632-166-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3640-130-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3640-121-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/3640-222-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4348-110-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4348-220-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4348-117-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4348-113-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4424-134-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4424-363-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4552-387-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4552-169-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4600-181-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4600-415-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4744-612-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4744-427-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5236-186-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5236-424-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5312-205-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5312-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5520-595-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5520-208-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5584-210-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5584-601-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5712-219-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5712-606-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5760-391-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5760-611-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5820-607-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5820-221-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5936-608-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5936-225-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5964-422-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5964-454-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6140-377-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6140-465-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download