2ad31ed788cd94203f378085c4f963c80623fe3c1695758c5ac3462af7ce9bb3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
Size

4.6MB
MD5

aaa4be077350d43d43e48e07230e3b9a
SHA1

0e1dfa9dff2b8892a52242c3a3f2b77424e9afdc
SHA256

2ad31ed788cd94203f378085c4f963c80623fe3c1695758c5ac3462af7ce9bb3
SHA512

6413d386a9c213ebf207f81513a9a0312ca8e7c6707f71bb91ef9c58ceaa554b6693a49a3adbdbb5113b0e2b3c8a98e08d22976aca0fb6b80e3eb634e080095e
SSDEEP

49152:uyEKQ5E3ieYR0PEtBFUow1b89eX61o+2xmepnUTRijbqYW3qkCbDypSfe6qwiXez:uq9ceqC+2xlUSSgx+d8y+

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2144	alg.exe
4424	DiagnosticsHub.StandardCollector.Service.exe
2056	fxssvc.exe
1532	elevation_service.exe
3572	elevation_service.exe
2508	maintenanceservice.exe
3452	msdtc.exe
4852	OSE.EXE
2060	PerceptionSimulationService.exe
1648	perfhost.exe
4828	locator.exe
4060	SensorDataService.exe
4900	snmptrap.exe
736	spectrum.exe
4856	ssh-agent.exe
3380	TieringEngineService.exe
116	AgentService.exe
1872	vds.exe
2452	vssvc.exe
4048	wbengine.exe
3308	WmiApSrv.exe
4764	SearchIndexer.exe
4040	chrmstp.exe
5236	chrmstp.exe
5460	chrmstp.exe
5488	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9f408ad64a48edc7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000525450233c9dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061f14d233c9dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e46a121d3c9dda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077df1b233c9dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eef30f233c9dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a22c49233c9dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068fedc233c9dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008660df233c9dda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004838f7233c9dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1452	chrome.exe
1452	chrome.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
4424	DiagnosticsHub.StandardCollector.Service.exe
4424	DiagnosticsHub.StandardCollector.Service.exe
4424	DiagnosticsHub.StandardCollector.Service.exe
4424	DiagnosticsHub.StandardCollector.Service.exe
4424	DiagnosticsHub.StandardCollector.Service.exe
4424	DiagnosticsHub.StandardCollector.Service.exe
4424	DiagnosticsHub.StandardCollector.Service.exe
2684	chrome.exe
2684	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5048	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
Token: SeTakeOwnershipPrivilege	4536	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
Token: SeAuditPrivilege	2056	fxssvc.exe
Token: SeRestorePrivilege	3380	TieringEngineService.exe
Token: SeManageVolumePrivilege	3380	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	116	AgentService.exe
Token: SeBackupPrivilege	2452	vssvc.exe
Token: SeRestorePrivilege	2452	vssvc.exe
Token: SeAuditPrivilege	2452	vssvc.exe
Token: SeBackupPrivilege	4048	wbengine.exe
Token: SeRestorePrivilege	4048	wbengine.exe
Token: SeSecurityPrivilege	4048	wbengine.exe
Token: 33	4764	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
5460	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 4536	5048	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe	86
PID 5048 wrote to memory of 4536	5048	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe	86
PID 5048 wrote to memory of 1452	5048	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe	87
PID 5048 wrote to memory of 1452	5048	2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe	87
PID 1452 wrote to memory of 3768	1452	chrome.exe	88
PID 1452 wrote to memory of 3768	1452	chrome.exe	88
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 2680	1452	chrome.exe	115
PID 1452 wrote to memory of 5016	1452	chrome.exe	116
PID 1452 wrote to memory of 5016	1452	chrome.exe	116
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117
PID 1452 wrote to memory of 5084	1452	chrome.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-03_aaa4be077350d43d43e48e07230e3b9a_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.86 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x140384698,0x1403846a4,0x1403846b0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8353ab58,0x7ffc8353ab68,0x7ffc8353ab78
    3⤵
    PID:3768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1892,i,13915934825864147066,11959665060762088449,131072 /prefetch:2
    3⤵
    PID:2680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1892,i,13915934825864147066,11959665060762088449,131072 /prefetch:8
    3⤵
    PID:5016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1892,i,13915934825864147066,11959665060762088449,131072 /prefetch:8
    3⤵
    PID:5084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1892,i,13915934825864147066,11959665060762088449,131072 /prefetch:1
    3⤵
    PID:4804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1892,i,13915934825864147066,11959665060762088449,131072 /prefetch:1
    3⤵
    PID:1184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3948 --field-trial-handle=1892,i,13915934825864147066,11959665060762088449,131072 /prefetch:1
    3⤵
    PID:1884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1892,i,13915934825864147066,11959665060762088449,131072 /prefetch:8
    3⤵
    PID:5216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=1892,i,13915934825864147066,11959665060762088449,131072 /prefetch:8
    3⤵
    PID:5244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1892,i,13915934825864147066,11959665060762088449,131072 /prefetch:8
    3⤵
    PID:5992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1892,i,13915934825864147066,11959665060762088449,131072 /prefetch:8
    3⤵
    PID:6068
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:4040
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5236
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5460
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1892,i,13915934825864147066,11959665060762088449,131072 /prefetch:8
    3⤵
    PID:5232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1888 --field-trial-handle=1892,i,13915934825864147066,11959665060762088449,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2684

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2144

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3172

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3572

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2508

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3452

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2060

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4060

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:736

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2524

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3308

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4764
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5620
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
85e9098c32564ffb4168b079367515f8

SHA1
9ee0ebd456153a7e9b715b741c08a41c412b3910

SHA256
317979a314893c186cdae5931932f75509f9b8d61d6263e61532a97d9970c356

SHA512
f5dedd6548463a3a43e8ccae5616f78ff8a3da4e3fd06c90fb7c1bd77290f840a6faae5339c4e79693635c93c36fe63f1bd4e68aa446807482dc8ff3ebcabfb3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
3d22d0c672c71e2747299002652de607

SHA1
cc1857bdbeda1b747945e8dd19176c43a7f48c99

SHA256
05e836a3791c0e70698a266bc181e8580058a4cc2d9add56d01831cfe1760c81

SHA512
705e915bf3e24470feb8fd1e79ec7c11a46a536d8d30fe6bf82753c7dc96e79a7fc5ac7fe68706fdac25dad8f3812d045f45e20f482876b0f74531f6502d8b93

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
a2cedcfbeb412dab21a9fe7e95279759

SHA1
72921b795c1aa95fe2184d8ab8ac9c5717776991

SHA256
c34a540d116be8c701cdac93c56fe2b0f1197169b5da134a116a4bf1a26fe41f

SHA512
8a4fa92a06b70c3dd2304a0d1069ba8e4d7127b812061f4e33d9dd822a29efccf0b6418ea6bcecdeb2391d83e5c0059205ad76f645c4630fafb97e66da8d4af2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
662363e53842ceb7d9da948dee0a3d6c

SHA1
aab7c81d08d62d4cc21f945a7b27c6a05021685b

SHA256
46dc4b574e001b8a7509c21e586045cf05f2f5294448dc994b5b650e9cbee066

SHA512
125fec60d5028db128ed6df4313b1298a260167a576a5094b1127f2cd6c473c6b7fcfce6a4fd6fecd66534efcda8b29bc7fddfd769cd07dbf887df9e1e230a3d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e6e5ddea3cf37a68f660e94a3c45c93b

SHA1
3fdc366aad1fd0cb393cb4f88073abdae57c8258

SHA256
f80a9ed25db266df28d70a3d62a8f0eb32b951084fca1da1515862fb8dcd6377

SHA512
bd3fb5687bb6c62aeed2995697cfba9627e2a0620f78fa45ff6e58165344f0fbdbba3368cbe7ebbb57f07a87e792551bd018f49ecd591f19490d16fe514c0212

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
e167ef415f6a325d81d2c30c258db9e2

SHA1
65abfec1228691d31cb4d5fa757575666538dc8e

SHA256
47d5dda9e30e2ddee077d9b1f71879309bb16f894931bd5597a89875239daf8e

SHA512
45287fe6a9e2abcac37df5568d48edb3050cd9c9b928f1e7f4617ebea2fd26a8a4767550de685f31e20c44964c76943218a5671fa5298f7d578690cda5fcb9f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
c5aad9c5c90c2cb0d7667f3918a0b978

SHA1
94aa6cca732c328b634b09290f5b3430658824c5

SHA256
68a1eed3e8c9ca763ca957f037a2e898ccbff2bfc23fdd35b427718f2715f77d

SHA512
aa27e79d0ba650c1ec9a6cfabb808c04a6b5d57c693e0c24f756af939ea715bdb5820c79d4db3b3a0264b5ceaf0159f1d428b4536773d4a83c1b10e8c8cbefe5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a693e66fb93691dd692fd035abb446c0

SHA1
1c022e0d41fcf07361fbc1a055d65cb9a60c9f0f

SHA256
63f2f33b48dfae6f97f381a0c538cafe580dc43b7a91b97bdaf39630ba48d47b

SHA512
b3ce8f32ecae603839ccca6b21b9a006f6377233ae4840c0ee13fbaee71210ce367ed85767ae2e443363bad0a66986f929ddff391caeb16fbe0fad21d7d4711f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
cee21a9533c984f85d1c6d18094cc426

SHA1
77a9b8ab6df3003a5a1808dfe67873ab0890222b

SHA256
3963f64d578f04de3b5e6d552837c136d4e494b93e6edd0382d27207347862a5

SHA512
66d620d007d3a24954c0e3dc07c24f4ffc898ce2b373f740ac44417e1be86e1e9dfb44ea3f7f396a18c077e1488176640ad3f7513b3bfb4ae168825e18631fc2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3e99709dcba4ac2c2a5c92e73df953ee

SHA1
3b74d01b53bc6a165af3c070fe206cdf4a0cee0c

SHA256
813329674ea62ad5866427a3e478cecf755e0735e8d0e96ea5859dd00566eddf

SHA512
fcaeeb327a1feec3fa7eeb89d1fb5744c1ec485bd223dc509267906ce38f6a75197bbe4fb302f4a9176ee1980314247a4eb75015450e407dc9bec29bfee2c461

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e03bdbe390f3b2836e20e2cc93ff1e09

SHA1
4c3e3b3e45ba3d0a88e5047b61db202715c85447

SHA256
0559f2be3d57351e375f3688e7ec30a5e16b9ac1cab304f08793b36761cf496f

SHA512
3399a07bdbfd6d6d1f9ab11ae8f8c144fe9a4bf98aa31171d33bc62d99b5bc545b4d741d592a3bae87c7b595ca3b0a256b6039c32ee53147a1b52f28283a40d4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7d5df693854e22a75b450cf6eb683c2a

SHA1
74fb5a0bac5a983cb8225cb9f5d3472b06db4528

SHA256
b71fef8dca48d6cb03dd42b1a46ed685ec3f56e467532c154cc1f62e13a3db17

SHA512
9d50eb0c7591c644f178badf4377b4cd9571689c4d5cba2ff334203cc8e020b81f996ac1b758fa34c6d65fc88291068573af1a66fde3da9ebe04b90a02668f5d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
63ded7745170db7742ce003cb8236584

SHA1
636821b33e3b457c9028a5c19f23c18f5d94519d

SHA256
897f6f4045772b1235018f5dc32b82deaf98230f767c16a7b4b550e43e1f8fdc

SHA512
00aa89f91de9f12155a6046effefeea3ad2b89c1bd942d157bfd088f8e142305a322ccad7f5b049f526ec2ff09c35e7b277b4170716fe838f65f162ea2930e45

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
16820f193d2992a0ade1fa544c1659ac

SHA1
72c87931353634e819063875d32a27e2009d1b08

SHA256
6c8c280e607ec61838871fe3bb90e0fa036fef45e497676a2054d104ddba4bae

SHA512
11f2faf9eb971eddc14e6834db607a975e7923d9dfc93c44c7bb0e23f4b9e6380f23daa3a09995e61982c9ee8e92e340c400766e7e2499852d78374335042478

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d71fbff7b05d1eead57666113414898f

SHA1
5263eea83368afc06640541203408ac132536f8f

SHA256
7a4d65b039609d86e94066fd738fb7f7ca1a45a562268575513d2bdd4d32aff0

SHA512
373308730ff71f50a97b7e0a778b2500b5ff76c31d2c9d106ac987c389461d83917d640e6159b17be42356a7e32e222e49669c1312429ada343d953278f2d11b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8b21f4325ff0cbcef14722168d39f046

SHA1
7d7a181415f79ed4a4b4d279e1ec116b45b94518

SHA256
d7b83f7d96df7ad017ba484db1617aaf0c9f4d617fb15712ce79a75621672eaa

SHA512
cec6d03c6ecfb9d53d915a40ebcf05836162e692b799ccffd7557bf09899c865f4dba0d09f50dc1705a2872473332c71229f8a9db4fe49a2c8530ae5cce0219a

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\63da7b7f-ab2e-4ded-944c-a2081f7886b3.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
fbf8cbef5742e0faca18fb7028d71212

SHA1
13ab67d622bcf857ae91744eef0e058f26e66f23

SHA256
20d6481ade207e2d9ebcbe312e0509f7bd493012bd48552905d9cc608f1c0278

SHA512
e84a291ac338c5c2a0ce7aaad37d231ca39d5ba4b9aaf89e506ab1ee66df7825159309a348b863eb85c9dbff4198b879df3e77a0213414904e13e6af0f34bae3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
b2ec59b4df154ea1812e4290cd3372be

SHA1
e15e12280a90578bbbb3412418e230e0e3f21855

SHA256
2689b565b5f182e2d28b8e0cb245371ab720d60511135b5fb88e49ef57f52e07

SHA512
98e24bd2c002a5142e1eb24ddb6a833c573988bfe493f292472d97c6c7460e42328604053a9806489039128d95a579ca538e45425e1c7bd256a1cecdb27f4f9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ead5c5b65992ef68cf2eb90edd0f8846

SHA1
e23f95767614ce9830147ec6ba7b0b5ca18a8101

SHA256
be7c1faec23a46d25250554bdeb10d8f49b4fc3176004c914f34cd0c8caa990f

SHA512
043645f254ad57e33e6968a60ad645630ca980de7555b410631fbc597bdee7402e1f4b15e7d522537f01304ca08400fd58a69609a125e7440dfa3f1bb33d1077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c491b002d5fb9c7649fe835dca160d97

SHA1
1502233fab727a68d7b2d3a22a61941e5db048ea

SHA256
d6b09d6a816e33e702a76208db255f1cb3d26972a8d4c7dc2f4b75234084f4a1

SHA512
610f71977da3e0fc530a90fc15e78fd9d89f0db2af3d032c0331f3142d168789c510d42a932e4c1c65c77eb6e5dbb00120df897e5acb447025ecd1b02921d634

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a6ed39cd7ee404de6a811d1be54794e1

SHA1
e61d1432c9e9ff923e6b61e76173b45b9ef99c33

SHA256
db8cb20cd5a5958c3d9ac54fb4ecf46dc6d2d5ec412de19b32997e7362c1dd96

SHA512
bde5c73d47cf83d2297296daf8bdcf22a0e41f064b3d3493047e312c095b6d4a204b4d9404154044a7737d19a8c5627bc823cf14fd160ea72b38590899c49488

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2ed2f4435438b93f260b8d7073442191

SHA1
6628aaa5e259d44dfa42cf0e45793c2f31d1f40e

SHA256
3cc5016d1172f88f1d80c343b2498b768ac8977e85ee62ca24423d2d2043ccdd

SHA512
00510fd287f0bc29bbb372ee6521f6f762aaaf45925fa0b03d726e1f6470ebaa45fd61f1e9f59f916509cadf58a06181deb103de0304ab607f8bd0785b2cd6a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5772ee.TMP

Filesize
2KB

MD5
056cebe70ead07d8acc38f1ddd50556b

SHA1
906167b4de443ef14bb095ae8f196165c25d17e0

SHA256
bb4c89650137cd1ed35cc2299d77c4b282072dd0e43418272d06a04c82c3733b

SHA512
ba3fc43ac1e418b5c33910a18aa115755a4350b946b3a6589b77361b95f5f109973c3a072b4724ae9590f8ef2cdbe52ad0958be62d7d08ac46fd90dc3de00fe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
5651d516b030bfef8cae4ca40e354a04

SHA1
b7761f34fef617bdb0367901f5a8470ab66bd99b

SHA256
d0676ea3c1e7ae21785d6955ec12625baf3d578ef3b5e14ae633e737e27c25da

SHA512
7b31542f1e45da0564b7356ae0cc4bb62cd93c2dd8a2c0deda20fd88934f12e8688140d369009cbd55e84c0a110f68071ee40af7262b06e8e9410d6de4d4b8ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
7a61d60c88c6d0276b65fc4202f59c45

SHA1
dca2b1fb602150e0c24e9a541a685ab85ff8180f

SHA256
22f1d562ea72faf4f91059dfb2eafde8e0a2ac6c1c94aeacd95a09235eb79b6f

SHA512
ef3410444c285984af65e07cc2371aa2103e1bb655f856f56e5e5f8d7807785220eca26b490bca5bfe2010ce346e861cce58c6448b66f54156b18c8bdf0795cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
8496e1b98890113fc4a5f812084c021d

SHA1
5f8941a6c03d76698f75283a1ec2a6fde513977d

SHA256
e8e53935439f3e41e2fe42712325bc1e366a6407228487e143f123eb05ab2d71

SHA512
e04ab47eb73ab4e3843ca5661a6942ec8820b07222a5f0e51de4ee0246af9536253923e60e6299924f909ff45f7b9881a74f335e6d3ee5386f07b1d1acba4b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
e93c793ca13696f572935d83444d2737

SHA1
5ca647a66452e90872184f196eb93dffe63f1d7b

SHA256
3800332885a88539c98dd74231bb63c7c0fc534b0a4446ddf9f5e97b814cec78

SHA512
9c970cda9af9c30520caf788ca11c7a9a080efedcc584ebacd99c4e2ac9e563a0316af1717da5f903d4cf5e3a4096759b4c6d25c7d87c55124cbc81a8854ace8

Download Submit
C:\Users\Admin\AppData\Roaming\9f408ad64a48edc7.bin

Filesize
12KB

MD5
c535a3afccea8b4883b9b528e90d6b3a

SHA1
9bc24d583971f39c3d742eac310a5e66d43a9f2c

SHA256
d9ac919a2f0f5284535f34518e0a6d9d3ad0c06514840288334b1b5f411e930a

SHA512
2fbc48e68290fbaed1709e1c2c0055cf6e21884b722383685fde3e61bdbb55451fe55596f5727af4118d2576856e9c1a3a724b4d06d0043ee8d36dd621e408e8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
e1b5283dfaf84ad7124a39559f6cf99b

SHA1
fbd245a1f048b9d94dbef4f122260af79746cd89

SHA256
582fb9b5baec0cbdb836ea1e1e226483140fadb15c7816262ff7f802914df014

SHA512
a77a8df659a21d6e1dc410ce17a319fb1da83267aad3aa38ebef9a44ad1b2374a0641cd165cbf50ad81140285e99b27c3458f369465b4f0780ef1f38df1b383c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
dbbfb8747fc7b8bbd6036a370d183948

SHA1
b82bc54d0d6a31404f9b1d69feb69bdab9751f86

SHA256
633ea5ad97c9d0a65fd36f39c9e44b2ff474c3972f8f9ce0a8267307b9cf79d1

SHA512
49942fad01e9ae4f1d7f22e5a5b170e5e8057e145596b43bc196d757e1ee75562b4337578a2dce006728fa7e0bba3f36fcef8c170f2e44fef66b8c0c3ff4f377

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
a514abc03e6810da2cca99961806f465

SHA1
e9bc66d84c1c2ffa3ddff4456a8f93c95616c726

SHA256
2c3cb83924dedb2113d7649e2e322948d28764e081969607439220135cfb18e2

SHA512
8d6be3b4396c7f4c5855b83ca9733e81a6b428a663044a47c686f014cafd4962eddc1ae0a2cfb621e251a6d01ff26165ea6905883467f19d368ef5a499a19dbc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5c5f19f4d6f99185e77fa44ce40e27f1

SHA1
874e28539a63ce1718863eba82f79019419a5f38

SHA256
06fcaa4a37d9036ca0939293691e30955d4be1380579c87fc0069cb3b0fa8613

SHA512
afc0875434874a631bd83e224e78fd57e6b51148cd6819306832462b81627e59f43d77f2ac811559facbe7b54caae87051ed9c1bd868d5b5978cd211db56599e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
36e3a8b72af465294280a0c83d367b70

SHA1
4eef17cb3ca208f1163fee664037f4f201f20b4b

SHA256
a4152ef944be2e94e7b9b4ac3860702ba93b44f500df613f00fdc16a5547cf01

SHA512
683d7b54ddb0563c9551e9eda29cacb81a577f90c18d6ec6a1e40c5ea46184b6b221337472fdd6a96fdf18c8db5de41a7995be7191c13b6af0d127bae70710a2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
a264f262a9f67aa72c7858d601d78a74

SHA1
b7fce09891b9bb7db8aa57332be05c2ea8e01936

SHA256
b7187c6987c42a67f42d84a9126430df1517701ec207136b25db0383f9266743

SHA512
dd0823722b33e4f6a95ce760351e4dc3568b3643c382353ce3cbca1838a773069ee23eb02f32855aa70572f50416a68813f29aca2f990f079f581a1d94ea38c5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
0bd7275e970ee110dc59b96d4ecd4a40

SHA1
ce6446f22e71c8cadf4a6673e2513cbaf51520a6

SHA256
48349193dbb1def569b29f53ea14b214f9ffca76d7b08422b08476d355a6aeaf

SHA512
e223c0225857270ad2156c4bcba98017f51369a8e908a3b2bd5dd0846bcc667c1f4ece28b79773e39fad4b3abea2a434e5876b54f9c45a4079ee062a88d4fa41

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0a2aaa480b5533621fc8fb08033de0c3

SHA1
63bc8b98cdd105603aff9776d17c36ca5e2d3a0d

SHA256
9490c31d4e782cc799d576d5ab73964e449bfc0c70b858693aef7d43dde2e062

SHA512
3726dde7f33c4f059b80d4f1c3ef7f7794b14c29980403e9fda43cd78d2c3723c8a98245ae35f1d4d936bdc2785dd5cfce90e1ac599143a9850d7a2fb9c19109

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3f4b5035a1110f64d0e7e337d4ba284f

SHA1
d03883471da99a82b12d118b5d8f0da104b3c7eb

SHA256
d174a6a4f77e3d38011e850090a5c73f83138c60a9480527000745fc7594981a

SHA512
45a6fcbeea2f85caa56a79a00906cadca27570045b36bd9a5485316e2722254650994a351ab84ed1cd9061a394f6422518a0899f04c02f62c8007711730b5e10

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
92aa3e6a4670ac06b28ba4e18264fd6f

SHA1
228ca5392abbc8dd23b39fc87249997b948407af

SHA256
e541054cbce6f42bf8eb01355081c650d9ce9a19e0e194943c22d44d37ee5839

SHA512
e63a47525c0aa592d21f51372e00b8345a2f7c1ff6ad2a95039a8d873ccd108e80366a385f723b486210a059809654593e936b25c4b94940844eba68a9c7599c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
ca47dc2819fe205fdc69cdbcdbea24c6

SHA1
23792b3aec4a9919e51eca63869b1e3359cbe3c8

SHA256
cc01aebfdbcda761195b8b5890812878ffbdcd66085c9ead3efe0f9b8d8f2f7d

SHA512
802f63dd25e437db1407e065a16a8132c92ef485f996cec7b8ccf634c331c4d13f9ef2ba4884b6094b0a7c76bfae38ef063db67dadebcbe39bb83107becbf8fe

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9359f75d586ce24815752c9a0177e79e

SHA1
3ffee0a14c816d0e07336067dbe4d8a727bdaded

SHA256
56d0e6017fcd14ecfb93fb690201c4409c0b6cdd205d3acf724aa12a0f3176f2

SHA512
25a1f0e64c41305d6838edfe2bfe472f50f05b0577dd7df2e94338f54bea2278bb9673a82bc460fb53f3d27931bad9c91d88af314a8308af80bb2fb0bb8913da

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
daad0497990374970176ab0ce89fd7fa

SHA1
20aa89796896539ecea6e69fa487df57f563a429

SHA256
a5c12df5110a15cdfb84ad82973e55384b0ceef0bd1867b1f61c511a449ae1a4

SHA512
1e9f133b66e383094fba1b7873f3066a8f77e587b17c4cf4e8827da51bfe5f12d80900693156058bc4b998e30c11d45618792442c732491afa5a90008a127b18

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
71025f7cf8fd1bf6f0f8fcb207846bd6

SHA1
f798effd4f201a2421c5ffadfcf9a1e290c913f2

SHA256
0b52aabc0c2af2a1c21f5f64f6fb154235e05ea19d477c1828e4e461eed6077b

SHA512
b4e638da1d03fe0ee0794a5cad4fe5dc42764fc17740b76deac1db2cdb49d1bb54f10f5fd88338046f1c92c9a97bc25e5561ccba1190cdec010855c6f3013fda

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
378764c79c4f0e50098749256b2ab4e7

SHA1
a7dacf9b428459283b0493e89076eef8cb060575

SHA256
dbafab73e370f94770fda2e706029b48fe80b2df4be6d928861e8bf910085a3e

SHA512
d1b5072d75e40cfa746e7e863cc70c63a0f21ad66980be4384bca5fd56ac20fc20a3789650f1d3a56f3eb3db143fc8410e8cc1caabf6bc0180f3f644d7945bed

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
322471726a88d4fd6341e356daab63c5

SHA1
33500574b8d3003d44b2c1bb0e5a19a78da2f234

SHA256
cf30a2687c9e465568cee2a7fa382ca50b25e40680f8034a279d3802cdc008a9

SHA512
32ec0cf9e1d4d32d018b078dc2ee6fffbbcfbf76e291efae4fad2bfc52befd15e041447721bb1ecf56fcb48c332eae0377f40e3e5c1f3096ddc1f7117a8af2ed

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
3d0af7d372c067bca18470c0c4eead1e

SHA1
280fc38e5e8a578c989dd770170dc8b5335c0317

SHA256
3c7626e4284c00fde90aabbbe2c644410f1e9a5c8618a24fd338cd0db1f3c53c

SHA512
ad02921a072213e93c8c66e85819f218aabf5087f7ad832ce55e2e317155f21edf6fa5fcd93ec54053df7418e8de572f08e99a5d2b3a2fe36d1528af341f15f0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d16486283b1bea715dd2335ab3c01e23

SHA1
6a4ddbce244ff7c8706222764ffa4c9e6643f186

SHA256
27959452e187cf41ee7fe375fcfbd50cbddbaa8dea40d00d5ffb8e91a28271c2

SHA512
7adda1abcecb9b7cfc29788b6e8a25aadc048ec6d8a329c569c1ca21616d6f898beb6bbac44ea24081f28bea245e77a79737ffd78cd862191db466eb33aa9933

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
295c35172675c56d85b3271fc5adbaf7

SHA1
fc8f7052aa2fdfb84e7cb6bf027db403bcb8cdf0

SHA256
f022aa4752d0400339634741871e82f3bb6e1dc719e1ffe9b3987e457c01bdc0

SHA512
15813f64afc1d8f3fb24db561e3b68c8efcdfe45dd0768d53f85b32e72352c0f22240b9f4156dfa8feb88fde664025c75d3fe6594c957aa961fc010496f8548a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9411f83e3aa7919cae9f0b42e409b975

SHA1
ad89a935a7c7abb60c26767af42e37b8ceb58a58

SHA256
dc5fdcd0494baeb2636a981277c8ae410d77779e131c3269cded46f6f8c7edc2

SHA512
888766a7e5a7ea90fea446de7395f078284147825b10c96fb5735ec1e682e7926159f5c8abf5c29b7fc249fc08933a01d6e8f3020d96d008f2e41e553c925f45

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
f4c04aed954971c84eb5ae0e4736be24

SHA1
a4219a7dfab76436547e2e2b716f66fe35c70d7c

SHA256
666740eadbe3f392a1dc6b500cedc9d7f4a610d3bc09f3e24afa52e7439375f1

SHA512
543be80e9e3e1b6c7d00359cb63836e7cb6493175ba7156e07f15d98360b05609752bec13d91e41d561142b54ed04de1a63b6964df86050803e54417e99c0366

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
3728c7d0bd21453c5dffba2a9dba6f7a

SHA1
6048023d32896f257d15e23b1c261846583dae6d

SHA256
6d5219883e8efecffa4c2bcb53fc071bc9646eb183b6276724bc9f821338839b

SHA512
86f83fd5d4dd8f4657e4e5c0fa571ec1fd37be0505c88a2fda67150900c52a3a8d8896bb9fd8a5788a59fff8f57ff1b5c5929e9967882f5968df84c3022c6466

Download Submit
memory/116-156-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/736-219-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1532-296-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1532-49-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1532-57-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1532-53-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1648-177-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1872-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2056-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2056-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2060-176-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/2060-105-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2144-468-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2144-27-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2452-226-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2508-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2508-78-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2508-81-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2508-86-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2508-72-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3308-594-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/3308-229-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/3380-224-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3452-90-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3572-80-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3572-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3572-518-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3572-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4040-431-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4040-491-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4048-228-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4060-496-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4060-179-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4424-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4424-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4424-43-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4536-20-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/4536-452-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/4536-17-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/4536-11-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/4764-231-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4764-595-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4828-178-0x0000000140000000-0x0000000140121000-memory.dmp

Filesize
1.1MB

Download
memory/4852-99-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4852-175-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/4852-93-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4856-222-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/4900-215-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/5048-0-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/5048-9-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5048-6-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/5048-28-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5236-440-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5236-660-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5460-480-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5460-453-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5488-661-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5488-469-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download