9a2a259ff49596b02ec3a4d4256600839a669893c645dbc1a8dfe8f2605f83e7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
Size

5.5MB
MD5

e94e241286a1d1b82dd74de7eaabbc38
SHA1

8ab8ddae99e732cda8f207d81b8352767e268e39
SHA256

9a2a259ff49596b02ec3a4d4256600839a669893c645dbc1a8dfe8f2605f83e7
SHA512

11e143010d9c08e7abd36d41a7c642f5dd3db64169a0bbdf8c16290883cc6a0539f538666da6419238f8d30fa47361942e7f2195585126527e42bd3cde54daa6
SSDEEP

49152:wEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfR:eAI5pAdVJn9tbnR1VgBVmufEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3784	alg.exe
3268	DiagnosticsHub.StandardCollector.Service.exe
2456	elevation_service.exe
4556	elevation_service.exe
4876	maintenanceservice.exe
2396	OSE.EXE
868	chrmstp.exe
1320	chrmstp.exe
1328	chrmstp.exe
2456	chrmstp.exe
2076	fxssvc.exe
2760	msdtc.exe
2780	PerceptionSimulationService.exe
3608	perfhost.exe
2092	locator.exe
1608	SensorDataService.exe
1576	snmptrap.exe
3232	spectrum.exe
3280	ssh-agent.exe
3228	TieringEngineService.exe
5064	AgentService.exe
4016	vds.exe
2288	vssvc.exe
5072	wbengine.exe
1912	WmiApSrv.exe
3416	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2a92209da46faa3.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_114093\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007be7676376cfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000464eb36476cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133647245543496406"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000455c7d6376cfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e83846376cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003461206376cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003337576376cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4343b6576cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fae5866376cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
4144	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
5932	chrome.exe
5932	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4676	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeDebugPrivilege	3784	alg.exe
Token: SeDebugPrivilege	3784	alg.exe
Token: SeDebugPrivilege	3784	alg.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1328	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 4144	4676	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe	83
PID 4676 wrote to memory of 4144	4676	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe	83
PID 4676 wrote to memory of 1532	4676	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe	84
PID 4676 wrote to memory of 1532	4676	2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe	84
PID 1532 wrote to memory of 4328	1532	chrome.exe	86
PID 1532 wrote to memory of 4328	1532	chrome.exe	86
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 4648	1532	chrome.exe	92
PID 1532 wrote to memory of 3424	1532	chrome.exe	93
PID 1532 wrote to memory of 3424	1532	chrome.exe	93
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94
PID 1532 wrote to memory of 3704	1532	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-06_e94e241286a1d1b82dd74de7eaabbc38_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff09dfab58,0x7fff09dfab68,0x7fff09dfab78
    3⤵
    PID:4328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1944,i,6234362210196077941,9224450944478744737,131072 /prefetch:2
    3⤵
    PID:4648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1944,i,6234362210196077941,9224450944478744737,131072 /prefetch:8
    3⤵
    PID:3424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2272 --field-trial-handle=1944,i,6234362210196077941,9224450944478744737,131072 /prefetch:8
    3⤵
    PID:3704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1944,i,6234362210196077941,9224450944478744737,131072 /prefetch:1
    3⤵
    PID:2884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1944,i,6234362210196077941,9224450944478744737,131072 /prefetch:1
    3⤵
    PID:2764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4372 --field-trial-handle=1944,i,6234362210196077941,9224450944478744737,131072 /prefetch:1
    3⤵
    PID:1548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1944,i,6234362210196077941,9224450944478744737,131072 /prefetch:8
    3⤵
    PID:2780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4788 --field-trial-handle=1944,i,6234362210196077941,9224450944478744737,131072 /prefetch:8
    3⤵
    PID:3728
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:868
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:1320
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:1328
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:2456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 --field-trial-handle=1944,i,6234362210196077941,9224450944478744737,131072 /prefetch:8
    3⤵
    PID:1772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1944,i,6234362210196077941,9224450944478744737,131072 /prefetch:8
    3⤵
    PID:4892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 --field-trial-handle=1944,i,6234362210196077941,9224450944478744737,131072 /prefetch:8
    3⤵
    PID:4924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1944,i,6234362210196077941,9224450944478744737,131072 /prefetch:8
    3⤵
    PID:508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5012 --field-trial-handle=1944,i,6234362210196077941,9224450944478744737,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5932

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3268

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4556

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4876

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4196

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2076

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2760

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2092

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1608

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3232

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1560

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3228

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:5064

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:2288

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1912

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3416
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5304
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
edf409b1cc1158ddf16951c5975e8192

SHA1
1f7f004b38b5c0cd8c0d7852d86872c5c5f9875e

SHA256
f015643b1fc16d977c1f5634ca4ac77c7658783537be88dae5d93c051c485bd4

SHA512
2080b69bd25feeb1d08502cf58a2b8efb15dbefa32af670ed2d9296833dbc9aead37c1ad99ee84143dca4af58b03d49ff24aeed7309e213fd4d186b7ae30ed92

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
9bb910ac702450f87c6e95aed22475fe

SHA1
0cb11735b2d4563d8fc681d41ad485452bd4b84f

SHA256
307c85bee56c0067e916d3a1bc6b689ece13c23b50dd7c2bb132f6b57d33bd17

SHA512
e52b989bf7c04222b6dfd8934fcfcf74c0aacaf7d1f56a0b468c2a06675949f7f7ba673f1fad340c150480914bb94d82222b15ecde80c312c1cb08273a599bf8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
a0ff41e2c559e97220be6d8e94f6b1c0

SHA1
4530706313af322ea5ad7a9f41691abcff557894

SHA256
4e995c5711c4359983305c3c45224f796c2889dc8316468453fe2c128b4d8343

SHA512
710ecb46201b77cd440133208be775b6921c7853670dea757bb4cc8143911f1c3075d30664b30fcce45623a4c535de407cac6b78b1e38f386234696043c32280

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e5e9041678927f480061acf14150ef08

SHA1
1668fe060caca17edaf1309ca15401627b5b889e

SHA256
3005691aba2f3c7347487a7eb985c2916ba53264cc7cadc516b50973c367d8cb

SHA512
0bfae752be53e2db9aed3479c36e888f8c425c4ba9e34f5d59f50c5d260c42016a6cfc64c2e0edca686d595ae6ed5357fe78fbd2e1b50db488067792cdf5937c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6c21ba280aee3c11970759f3dba08792

SHA1
637c6bee4ca0e6706307f879e32f6b35c2719237

SHA256
f8b05ebfffc21b27367bc29d8ddcf3a8265a9617e6e3be67ee7c8cc2731f8c74

SHA512
b0cdd41cfd9645b38399475bf5eda5989d47cd53febc7cde3bc0604c8a452cef43742e8e4e21789611237966312e772e5dfc072ed95b1555f35d7d41de447f30

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
55594ea93cf04f9574be8764931916e2

SHA1
c6e4ec0cbe6d67eeb736925c995a587fa8ba059b

SHA256
88f55e6dc24405d33ad35bb60cfd9e69db42119570794d27039e742d8b58c6c6

SHA512
c81765863ee711479b86b38711cd997f78ee2a6e7af11e8f85d263bc8ad5a3632ef6429b389f59f789052dd79c9b3d976bc9e36fc3bd07b6bcf9afb23e0e32b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
91625f978dc0822063e4f7aa0c83d2bd

SHA1
c603a960c2bb32dfb9938fe818fe12828bd595d6

SHA256
9fd48e32275659408485c092f9fa7787cca4826aa70824dac6743cec3774940f

SHA512
f1193868a339c14b2111e04195f0fde55fdc2385be18633980bd78a82290fbb8ee792221b2bbd92f0058733594384ec94ebbf86b4de22e66d31c0acc72de49ed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3a7f899830767950cae5070fcdb3808f

SHA1
794be709203d44f37abf832ae5eb7e21bbdc3514

SHA256
45d51b0aa92cb7e13076b8e2461f2b20000dbe003ca5b5fd1c3d06bdaee55550

SHA512
509b8d7f5fb443e3cad983a34577b2e0328a5de72e2437a7364060f79c0215982f95fd698a498754aed817ab25963ffba6c1259a3a377d30721d80aee50bd49c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e167de516de49f09cf9fc99da69447ad

SHA1
423603e0e64ad64081a961ee1d2fd6dcda3a2f7a

SHA256
68ea56a10c642dcb5de4d97958234d864a1030985bcfdb20958c8bc2beb576de

SHA512
bf907485a47f066aa15ff89a370fee24e9daca254c67cd0e963e22bb1d8fb1e0b2f08d061ccde37f59a062b80e109a0f638bec496594ccfb722af06fe37b58e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
68995c9493ef1e43521f1a4ffc7f5b01

SHA1
699b572fd165146a5c8bb457bf978b4fe10200da

SHA256
2dd823b902f61bd4e672510644a598d48f0761b0b85296524c2047508c7c6f4c

SHA512
f85c29fc1973bd345f508aa95c33635f7aa92e6afb66c9bd86e76c6cef34fb1419aa5bf708b44884ff78408a90c78a14170ffea979ea87a6b123be40704ff752

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
78c6784e60c614fc8365cad555d69060

SHA1
df57c2ea03038e6d9af9e8d1384d8c5caff7d90d

SHA256
7eedf060494d8d2e2a4fc148e59498d20bbb5a43670b5a04effe083c36639416

SHA512
70bf381fdaf5e8b486183b9bc0a189d33ed1086e2762bf4d4d75b53b6c4621805188c63ee279bc555f24e56c85fcca7b22c3dae04aced8766a90f92139d60ced

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4aaf63f9e55798c9e22f1d256f31f5de

SHA1
ff7634d355bfb367f640976ce1a0e40c2dc16215

SHA256
8029e72263eaf95345f8128af2392680ad26417cf267691e891f6892db59d692

SHA512
02e563aa406ed9a1b69d05a6220dae6a2e86570b929c4bb9a8db95bd0ae1885c6b9bc4ecb0be16da768b2c5e061a45aff222976d8a3195b22a7cf67bce0a5826

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
276bffd2de7cb9536ad31703b07ac27a

SHA1
f858cb1ff7207b265bf1462b6a3b4bc62fe858c7

SHA256
02afa1c305e52479ac84bc705ee8948e1063eaa3b93886dd738d92c69f8adcbd

SHA512
4f86257fdd5bb7397a85b37284994dcc9bb7c31d09e6fb1dd6e1cc6aaa1c09f47ecd2df1544048477af96a7ff3b7895717eb46e366e52fa900eb369a5a34448b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
187c507412537992958b7f5de4f90d38

SHA1
44afafc7c057282cb53e485653ae2f83faafdd16

SHA256
b538c4b59e38f115392736279f81dbf3493029e80f6b9cbb40a6e3eabc7138c9

SHA512
0708579224b0efc720abf768447b5be3dd4d9f15d5b6c5f15e5defe1bf7cbd9f0a9e8ab41f85413c90169da6d429b0c13ff2d52ff7aac3d2849a7d04326223a5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8235c4283de69f55531dbdcafadde7db

SHA1
87413935002d52d380c7b03b2295618c643db68c

SHA256
c64ba3441b1bfa96abf8b817f652a14621e061fcb39f316d69e42adba9dc2574

SHA512
4e30d6e5222108810e203d42adc76b2e210a9498f5177eb690451bf5b4cbdc22f07d8a7b58da1d706ef9487cade5db1ad9aefecbf82331451218cbb0938e1dba

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
103913b9949818de366f7fb6cef33c87

SHA1
96eeae61c5fac75f7f4c6b4fa3bd1fb1e9807e91

SHA256
ba357a4ebd333d83e8ef97b0fedaa25013b4f02b66b2e2f3924b98e633ef6f36

SHA512
471846d22050a0af83805e91204ac6e5e917467e5165a5d5199358d59268b5485f5210eda8bcc704718f2be9c49e63da0c8d5eab784f189d102d5f2f977f074f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
15f8fbc721d6c2e7c7a182ff740a78b3

SHA1
aa8b488f6d4541171d09e2c282ffd5918f05e8f3

SHA256
46069534aacb578d01ceaf7282271e7d7aff02a4066d9bbf1fc473a744b64843

SHA512
ef5afee25eb75d5adf8ec5e60668fc10ddb3546fe5d62f0300e77996e8888cb3f2e953bede0e9119bd1a96a21d9771de446f3764ad09caa980e0a66bcfa0c6d8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
908f36e8bb54c727df18d4fdf083fbe8

SHA1
299a55dd7c95a216a11936fff75a821825201435

SHA256
f6640f159221c37b61b6c3c7961aba8803ba9e23f153f5c410bb9edf70d4d3e7

SHA512
5f8eaac7cedbe0c5d746d131f0a6e2d3b15aa505c5013a6f57acf0679f191cc4bb93664c214d32c9fc8f571621986992af21879a0f0f0d555d94a755e6a85d8b

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\bf90779d-3647-4220-a9e6-96f82b303781.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e07cf3ba48c3c5b911b644841fb9a24d

SHA1
1b377898fdca6ed2f3a2efe7978604dfc52ed01c

SHA256
7f2606ba2c56dce0d99fe3b92ccb89b54b9c609d91f1c1b105ed3955d16ee468

SHA512
ea2154162ec025b8ac5881a735234abee3a952e30149981eea11b1598ef88a8e000c54c07673cc73cad50da6b232af2282d54a731a271c4042838ff63aa1a52b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
2e622239aaff6d778c494fea97908109

SHA1
aec335887bd43376554850d99955f5f5ae82a8e6

SHA256
e3ba21a0ca61fcca7a8d22d7002f79a4d7a5435f017349601826e99a144ccdd5

SHA512
4aa5c77f40a0f507f61163f63af8d1ed5d21c220c5666488a4cf4d2ca9d5cf965dddc2687eba4c61a732e07b269aebf4c5477c262b2bccdce1b15954d5a5ec80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3470c08242e4d63ced6cdf4bb5d4fa85

SHA1
198a95b5778890ce0dc1a6170299f72fad2d642d

SHA256
2f0e0b5c2d93fde9701cc69926d1a668cddf928a698a8820625eb51481c60a71

SHA512
ba78bf553541f4fe5a18e7206599abd67e659109c9f299f675341fdc8f366adce8f942b92c79c22785e11c5226a66370a6f9dffd486b6507fabd955891c43e17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f0a1be3c93af22f2f9ed9963b708a940

SHA1
62e9ea55b9986a6ce3b1e627961e93598e92bb93

SHA256
40627d6d113a02e6abe1a8972185898c89774da357a45573cf364b08ac00554b

SHA512
e712f3ecb7ab9a79edd6626acc90da38011a597884e03b467c1ce5390845288ca2480822c0329b45bf1fceeefb6068e151bb8590ad6d5df33c875e718b9cfdf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5888a71f487ca5e5ad02f69caf99094e

SHA1
a12e2f5afc56a4fcc1eddd136617942862d49469

SHA256
46babb2b3e3852dafe3f429e3f6921822af82a4fa38c679d191e4f9fb9179b6d

SHA512
e53ecfd469980f1360bf8b77f6aaf4c408146d194d1f67b61add18b3898c5c2bbece62fd47533982c17bb6947685f8bda09f109a079a99f465c1e62298ee65f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57f26e.TMP

Filesize
2KB

MD5
17c60fddfd5e2fee19f1949639324a07

SHA1
8e297aecf0e143ef8068147022419debb8f4e5de

SHA256
d4dd3f5457e8d5059d6fbad39ba8370483282a641646943a9e1f940fd09e797e

SHA512
08922fa5248a67fe5db83412e9ac563bd64e8fd1b3ebccce1bac08d065a77530830044903813645b41199013056eb7745701fbbb5c11f2a8a9546fc425eaaa8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
223c58e8285918117e38455c2e2e83c8

SHA1
69223f15ae3514271319bb988bd404fcc2a84aea

SHA256
8023f4ec90d39561f06470dbceee765dc80cacae00cd7f77c2d30b01f7f25c03

SHA512
8f540bf804c2de435f11956c7b9dcf1f8833d462c787fc17be67d53ce4e71c3b5be702eb5cbfe30ae60e4e715f60addd969c83aa150c9cedd24eb8cce12a003d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
146KB

MD5
079cb701f464c1b4d838005f20da0c44

SHA1
43aecfc03a8bdd1e0b85a7f70a95b1362e933ad8

SHA256
f1d9fb8c75cff77439686b2bd6795a49d2c88276e1806360b24c6ec96c676609

SHA512
549087975de5dbea691f89ff9d75f179510af114cb66508d5f2cd408fcc3e468b4f3327a548413ab73f984f36828d1cfd0a45a089a2543bd10ad767d99d934fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
308KB

MD5
d3e570b55541f395ab62e098e56bb51e

SHA1
8c1dd682e72216f301db5c99c03c70e4ec5b4ed6

SHA256
32ee98a14f6560c1a06ce3fa7ad2a4bd5f2ec007e1308df70d1ffbef1aa2422b

SHA512
83ef4ace8ba6eb71c848cb8bf0a09fd49a01fe5a0c6c5ee42f80775a6caff9b50b7428b6a845ec393fd8b7efb316c2a23ff144ae9b61cf8847d579c819cf906a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
287KB

MD5
45bbf057dc263dbe9c43926796b63624

SHA1
c29071674755fa0e8ce9b5d59cc327c58c4e3287

SHA256
72af01de91edba23001f435038a356e4912698e31ffb923911eeec9e98f80f4c

SHA512
4c0eefb9fff6d1453f0620e3cad4a50c008671278bc312ae35d83c0bfa2b62c0c8246478b838984b124377033d6ac250168ea32ea36fdf63e757fa7bdb249afe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
287KB

MD5
3e2cf272182ba00a04351201422a0944

SHA1
4ff66226f7c39242c0f8d216d5e9c336b4aa80b1

SHA256
ea8db75b8b212e28342ff50db429d3359f5133e11c3a14a26c27cd726985fcaf

SHA512
bbbd314baac59e9d1bf65a9493abac29b5c8efa6a738b99ddc947e790e727b8fd65a7d522975822ef70e09a60e3ca0fa972cfc38cf3b3e84c5b5103585efc288

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
8a02d075d791f0b7ab34d18e0f0e4ebd

SHA1
20f8565e64a43961dde109db2c750912b6086ca1

SHA256
d77cc0a605ffc73aa863e126b68fd0cee8d39cb4b476f0d383604d91c6c3668a

SHA512
a9a4602bd7f4982111cd9fc309272974632d3e9b6fd40b675e586384afc41e2451107acb960ce8a6ad83e90423c610a1b26616ad8f4404e4d7da05c094bf06b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5867cd.TMP

Filesize
88KB

MD5
34ed7c1e0bf9dff037c6486ad0aa9c0a

SHA1
0de12e920ff7b92306781be471b8a2cdd4eff27f

SHA256
37871f7158dd1ecb673df8d8de39fbf5ee6cc1877fbfe34ddbb328c9e13bc10b

SHA512
f7f3cbea903b5aa3a7db1b3c10848a7fcd5f1037770c73d5640e5912f9db1b45ebf3f672da050ffcbdd19b94ebe0ff39a6a7b3c724788e5f60da1118cc984edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
9d0a40d8e381e24245d49de402e2d4e0

SHA1
6a1c888d423d91b10f315abda1f827920eefbc1a

SHA256
c012ebfc2abd5330641fb5aadc5a100b0cf1931ce20c143fc31f5224532e6298

SHA512
9fce31d3ef354dccc1e884a9e0b1f915ec3f71cd386dcfe0de2614cdc2af8bda84da90971f0ea72a2b78d201bb0caf13437478a1a26ca6542b2c12e0d4ccf77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
9105a849050e031c7fbcbcf668b837ad

SHA1
be8aa8e8dfa386e83a17b84802bf7cd81a630014

SHA256
7316985b13305059db704d79d421284d513646fd3b441781ae669cfbeb373813

SHA512
5b7820c1305020322557aeaa46823eff2ae835c7cffd0c15017db31b9da0f07720b8b769394e10c16a6f04ad3c586f5438bcf527e87b741a8f913989cbbecd22

Download Submit
C:\Users\Admin\AppData\Roaming\2a92209da46faa3.bin

Filesize
12KB

MD5
51a657a3fe4cf1b0670fca9648278e71

SHA1
f45a0f6f05b3c20befc28bc81581d2ca7b486748

SHA256
f13e03dcd4ac321a2e33175e51e4563f93a37dd1b42bf54efa3b3385c5cec487

SHA512
4c6d154b5b28d5a04382da04080b57208759cfab52c78b462320838a092fae74f98ecb11199e3b0ac2b14085651e91be3b3a3c60a7450dc640b3f3cf6fdbf116

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b47f340fdd5d39f48cad59352a3cb035

SHA1
17a78599dc229f6d2df24e653126d6f5b3f5cc40

SHA256
13eb27897c5523a89a431e8883707994aeb95daad8eedb5e82aa18f92e2b9a60

SHA512
34555285c38a3e165cdce6ed4f0b74290295d7a6b47bad993835396112ca18b49b899c65a1c3db1af1f5a29536bdd1d30c9db8dfbec591669be986ff59ce5a74

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d7e5800e55cbd342de9fdfbf5318b841

SHA1
897335b53f06da31118ded845e8b87975a53e237

SHA256
48727e1ea2a09f76ad4ca02a10828d41053d9cbeaed43f25208f4800293586f2

SHA512
36af57684ce390972af88a76a6095c36a193880b97dfca8d2a0e301a40fab06763e2d7a444d1463520b9b08c4d1052aeaed761059a028906b636dc2a27e244c4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
9a0d246de806b31bd0427d6e69062bb3

SHA1
e335c735312db30d17ed57f3018d41aacaa6ff63

SHA256
d1e6c7b2e70a7bc6de7d6a835eb5026c2e665d8885efa0dac2577dc801fad154

SHA512
6ef84b39ddddf69cad77db55b82396482eedf0f411b4c6a32992d7b0b703eca9c345158f4092ff7bf09ad38004b022ae91e582b8c140ffaf55b724a1c6c431e0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
22b0c2a61c7c75e2c588798c9b211359

SHA1
7672fcd97240e6990ca7d85e5817a6d8c24f30b3

SHA256
3d52a3a2f62aa4411b9af5ef3d21f33e130779e477d9162fc12f771c7f78e781

SHA512
74202b80c0ce53703862c793789f29ff7c1e77dbc695788479e7a23dae25f11fa8278cfc251c99761c9ee89f54b47f843173d2914337658137519a03daabe126

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
25d41614b0a44fb7cd3f4b91cbd06f8c

SHA1
9eec01913ce8ada21027f5e266dc613350ef624c

SHA256
ba2bb5e10afce7f4f1818f7f7ab2b9bd4a0e908d3cf7ca99e1c715296069f104

SHA512
627ed0bc49147550e5be8b4ab8eaf2a254e5991f71acb5d4b46affddb3095270429bc68763ab329ec0adec8f90ccd938e5ef26e992eef6818e7e7a7eda4bf40b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
84dbe680bc80fe3e45438e9a2b6deb51

SHA1
7f84f3f43d49a31f6f6f5181d9b687f17bf5b8d3

SHA256
6a6c1c6449ec61450d5f5b00220f0cdfe5ced6b14c4e8f434233060bd6a6ef98

SHA512
05b49c2ee9bceb685ffcc81833980583e9b3c5e34468442ff2621f834e4401e48f5c3fc2ad75d7781d6767fa6697236c1fc37a925817e077cbf7941ac52b822e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
acae0a8976eb049cd5dbabb64c82cc77

SHA1
369dfa1b6ba99640f5521ce5b7514b7309163619

SHA256
fa1c79725371bb1ee550be88cc5be45f3ea78da4ec2eb3de7ecca34f1e60227a

SHA512
0048d919656622c0d20a0e50d21f8ef25d32955bb828ec9653d275b778efa5976e980d551b7719624cd6e7d4ca0bb2fb51ca534ea2ae33082d67ab958010647b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
166ee3ae36211dd9b5b82689566104f9

SHA1
c2b786259f47b5a8410f00e780b633d66796cb38

SHA256
ec378ed1c7ba80a17a6d3b807adf3e50ec2ce767a662b608795cbcf92b108faa

SHA512
b5820390e64356c2f65fe4fbe61268022d2b70d09df1f1f4ac59280fdb9f9ebdc42276ca1380c3e8fa45f582962df7d2a4844c66abd722ef94475e1ae3946b04

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
22ac795b1e98dd7502621cce8af87f29

SHA1
9d45b6ccc900e9c219b5120ff1c17bb4ae48912b

SHA256
5a63c5eb2166c00ce97e5b9bb623aa6ab0fe22bc31da2c87ec3c87886cbbd483

SHA512
f2ac0c12bf06256068305aae7a0d06868b475dfd63572080a0c0f2e76c8f07ad485cb8869c32c3dd3f66eb92e91f4db8f43633352b3ca4b9f2a5827755bd6801

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c242163fc490ecd717eaa36287636b30

SHA1
e082f0c02165d82e25ab90ce12cb182e08d0be28

SHA256
97097d196713698f05e57b3f8036f09ac887d4b298892aac6770f438f7329bd6

SHA512
461bb6d3aa6056e0194baec763e93a39b5f2437a1e788a9827c5fc5256916bede4380a4cfccbcad3aa1fc460479c3ad919785756b2030fa4dac404f2c0dc7535

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
374367a1b5c0628d9fcc377b8623940a

SHA1
498f169c9dc4e9d01e903cf0ca48bf46cdea2b87

SHA256
a7bf3a6a9e53c64c85b22640238f9e8e85aecec72d9710d21a72dca92b893c7b

SHA512
8fc93b92ed93cf7792f7ed207e721bcb53e18bdd1983654a807acceb914887bd436985a41effec78faff47bd5421f699f88f99552949ac337b78e7179b55e552

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
74b8a12a59279eaced38c3f6b98d47ac

SHA1
4c8b5deefa256e51eb974131cac57f3a02e9afdd

SHA256
269de8776a52a18312f7fd655dbfb5521034712063e0d412582692e13ea814fa

SHA512
a52a509927b930fdc2f454f2bd4f6a72900c2e30000870d8c76da771c0c972cc0ee70c083efc480259feb8fc650c2fd18201c3b5ff66794f9fa3c491c36894fd

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
93c422602ec3e69ba6638f7b5b0898d4

SHA1
fb576ed0e626578a49fcbf4777479e0bb5e03337

SHA256
b6fa13fee48b5271e4fdb7fc4a125f9c85c20fe33fd3bb97688401ca73c62bd7

SHA512
9e17bcbf12998f6b6535d70bf26a3066da0bc4d4548c27e418ed8660317ec4f1c471bcecbc06a8825e5eb9495a5347f3f1e39029036fafc3359237e12873299b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
7f748a0dda308a5240684ca46a87980c

SHA1
5c7ae10ea693cd4fdabd4558905d71672a47e9fe

SHA256
7e9b77ad082874627c55017cecea0ff45ed98baa235c7f7246f4fc92db72b3c4

SHA512
b0cca9ac01bedeb9c383054dc6e8c0ff33b2473ddf3468eeba79516d955a6433e94731661e4c4f547e1e40b9e57dbbd6aa847e236e4053ff9aa7a95116c237d2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7a62950d1857ea090f310b265c841d35

SHA1
63484fb281410b36e1201b6a35b413e8d15ec9d1

SHA256
ef39a56f3d49b72aad8b0cb6612500d9a751f28621a8417b137f0eaf472eab30

SHA512
b25ec5259ce17d673ea6c4bae1f34e53d8d31a620e8dcba7db572457b6eb43d76eaa5eea9d99c73ac302c2633a0cda23ad27eaea8a9a41d13989bf3c082387a8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
71d2368c4b8517b5a9cbc0235acab464

SHA1
9f84019b0e1acf61bf0530a2ce276e65698ab8fa

SHA256
460186c47471b924613155ec73368075c3ea5cfac653a5747284c94a0236da17

SHA512
c26edd77d161ceec03219d4fd9e51174e3badab8169082d9d02ded4b486a1ae77d031d9a0fc7ce88eae9d8186e15a6fb02f168acb6cec18f47f6729d2aaf10e3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
53c6726d88287f869962f968bd9792aa

SHA1
957c161dadb13f6cea341e34bcaedbe02fb51780

SHA256
1033ff89fabe278b134647638d712e6c42b665c985bcdc1c08d8b8cdeef80291

SHA512
b540139b1ec838e4baa87eaa2110cd34d57da6ebfa7178ab1d772048febf1db18b1832ac37cfb2e851c50ffe0f4fa6af00402ad09219cfaa02325c920fd18189

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
73887827273adbb7fe7bf1866d5118d0

SHA1
4d11ffe053f0fb35546c7be2c8568c1ff4a322f5

SHA256
230b108048848510588f87d1276318b3dc4abda2bda621272f1901e3edb7b309

SHA512
dc1fa67d8d49123074303e7439396395acc12a2f35f63637dfdbda72a41067fc2c7cc388006f360bc156338c58f305842089bb0ff75949d8eb8057169f39957f

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
647c449a1b3816cf1680fadfa3f22b15

SHA1
daf18b5297c4ff87b958cb1d655d6424500fb547

SHA256
9115a37d4621245cfe2d33e3e83666bcc4103bef689ec9ec98d3a0c78d1688a1

SHA512
0a77f21cf7b55ee9dcddd4c5d09c89a1971873bf9200693338bb43221ab7b4c6e0086bd5a5f84b4065ebb4e503723fa930724268c8c3c74766fad28a7bce43ef

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a9313820c14c050e09c176de6bfa92d4

SHA1
5c4664d75ece1cc0b91965bcc69582481c9b877b

SHA256
f4cca0696d182b8a3022b72d7351f47d1c663629f4b0cd030a5366da9f51bc8e

SHA512
cca431271b8fd8b4d5bcbd382c9a0219f1fbc965f9a8f0e925388be4a3361fd2374f9361683eadc5e3a14787ed1bbca1fcb50e6bec6f4d769099c3c0b6c217dd

Download Submit
memory/868-302-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/868-373-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1320-413-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1320-323-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1328-336-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1328-362-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1576-551-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1576-736-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1608-852-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1608-531-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1608-651-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1912-864-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1912-639-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2076-476-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2076-491-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2092-520-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2092-638-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2288-861-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2288-615-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2396-208-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2396-90-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2456-418-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2456-64-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2456-258-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2456-62-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2456-340-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2456-56-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2760-488-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2760-602-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2780-614-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2780-503-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3228-577-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3228-857-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3232-801-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3232-554-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3268-52-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3268-51-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3268-42-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3280-855-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3280-566-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3416-865-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3416-652-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3608-626-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3608-517-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3784-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3784-22-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3784-376-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3784-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4016-603-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4016-860-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4144-33-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4144-23-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4144-400-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4144-34-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4556-412-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4556-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4556-75-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4556-207-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4676-0-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4676-36-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4676-50-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4676-9-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4676-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4876-85-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4876-100-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4876-79-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/5064-588-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5064-601-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5072-635-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5072-863-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download