70c915c1360c7a5e22c17107bffa1bdcf565c7cb81804017f60b4ab813dedf3b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
Size

4.6MB
MD5

ef811d98bf983f7709218ca5c263c4ef
SHA1

f9ad682d5f5e66888fd31d07b9f9739f65f4b58a
SHA256

70c915c1360c7a5e22c17107bffa1bdcf565c7cb81804017f60b4ab813dedf3b
SHA512

61cbf69acf7990bdbe6dfd0669541615bba4a07fc38a48f9e1a2f4a70200b97e9e8d4c8b35da8b259cace803ffa9a556e5ff9eab828a7067e4a2216fc7f99c30
SSDEEP

49152:+ndPjazwYcCOlBWD9rqGHi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAG+:E2D8OiFIIm3Gob5ruamk6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
3476	alg.exe
3308	DiagnosticsHub.StandardCollector.Service.exe
2344	fxssvc.exe
4320	elevation_service.exe
1772	elevation_service.exe
2376	maintenanceservice.exe
4072	msdtc.exe
3004	OSE.EXE
380	PerceptionSimulationService.exe
1416	perfhost.exe
2464	locator.exe
1912	SensorDataService.exe
1876	snmptrap.exe
5112	spectrum.exe
116	ssh-agent.exe
2240	TieringEngineService.exe
4296	AgentService.exe
3000	vds.exe
640	vssvc.exe
4288	wbengine.exe
2576	WmiApSrv.exe
1408	SearchIndexer.exe
5184	chrmstp.exe
5920	chrmstp.exe
5540	chrmstp.exe
5832	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6b3327a98beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exechrome.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d09b0b34dbacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044e83c3cdbacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd8ad933dbacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004601d43bdbacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cec97b3bdbacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1a1933bdbacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133609196411706965"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047842e35dbacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d18bbe3bdbacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a427d733dbacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007075e533dbacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008116a93bdbacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exechrome.exe

pid	process
4404	chrome.exe
4404	chrome.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
4260	chrome.exe
4260	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4404 chrome.exe
4404 chrome.exe
4404 chrome.exe

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4180	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
Token: SeTakeOwnershipPrivilege	4612	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
Token: SeAuditPrivilege	2344	fxssvc.exe
Token: SeRestorePrivilege	2240	TieringEngineService.exe
Token: SeManageVolumePrivilege	2240	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4296	AgentService.exe
Token: SeBackupPrivilege	640	vssvc.exe
Token: SeRestorePrivilege	640	vssvc.exe
Token: SeAuditPrivilege	640	vssvc.exe
Token: SeBackupPrivilege	4288	wbengine.exe
Token: SeRestorePrivilege	4288	wbengine.exe
Token: SeSecurityPrivilege	4288	wbengine.exe
Token: 33	1408	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1408	SearchIndexer.exe
Token: SeShutdownPrivilege	4404	chrome.exe
Token: SeCreatePagefilePrivilege	4404	chrome.exe
Token: SeShutdownPrivilege	4404	chrome.exe
Token: SeCreatePagefilePrivilege	4404	chrome.exe
Token: SeShutdownPrivilege	4404	chrome.exe
Token: SeCreatePagefilePrivilege	4404	chrome.exe
Token: SeShutdownPrivilege	4404	chrome.exe
Token: SeCreatePagefilePrivilege	4404	chrome.exe
Token: SeShutdownPrivilege	4404	chrome.exe
Token: SeCreatePagefilePrivilege	4404	chrome.exe
Token: SeShutdownPrivilege	4404	chrome.exe
Token: SeCreatePagefilePrivilege	4404	chrome.exe
Token: SeShutdownPrivilege	4404	chrome.exe
Token: SeCreatePagefilePrivilege	4404	chrome.exe
Token: SeShutdownPrivilege	4404	chrome.exe
Token: SeCreatePagefilePrivilege	4404	chrome.exe
Token: SeShutdownPrivilege	4404	chrome.exe
Token: SeCreatePagefilePrivilege	4404	chrome.exe
Token: SeShutdownPrivilege	4404	chrome.exe
Token: SeCreatePagefilePrivilege	4404	chrome.exe
Token: SeShutdownPrivilege	4404	chrome.exe
Token: SeCreatePagefilePrivilege	4404	chrome.exe
Token: SeShutdownPrivilege	4404	chrome.exe
Token: SeCreatePagefilePrivilege	4404	chrome.exe
Token: SeShutdownPrivilege	4404	chrome.exe
Token: SeCreatePagefilePrivilege	4404	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4404 chrome.exe
4404 chrome.exe
4404 chrome.exe
5540 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exechrome.exeSearchIndexer.exe

description	pid	process	target process
PID 4180 wrote to memory of 4612	4180	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
PID 4180 wrote to memory of 4612	4180	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
PID 4180 wrote to memory of 4404	4180	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe	chrome.exe
PID 4180 wrote to memory of 4404	4180	2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe	chrome.exe
PID 4404 wrote to memory of 748	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 748	4404	chrome.exe	chrome.exe
PID 1408 wrote to memory of 3800	1408	SearchIndexer.exe	SearchProtocolHost.exe
PID 1408 wrote to memory of 3800	1408	SearchIndexer.exe	SearchProtocolHost.exe
PID 1408 wrote to memory of 4244	1408	SearchIndexer.exe	SearchFilterHost.exe
PID 1408 wrote to memory of 4244	1408	SearchIndexer.exe	SearchFilterHost.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 2592	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4800	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4800	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe
PID 4404 wrote to memory of 4104	4404	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180

C:\Users\Admin\AppData\Local\Temp\2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_ef811d98bf983f7709218ca5c263c4ef_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.119 --initial-client-data=0x2a0,0x290,0x2c4,0x294,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1e7eab58,0x7ffa1e7eab68,0x7ffa1e7eab78
3⤵
PID:748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1852,i,6095115933495421864,14195475601074617402,131072 /prefetch:2
3⤵
PID:2592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1852,i,6095115933495421864,14195475601074617402,131072 /prefetch:8
3⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1852,i,6095115933495421864,14195475601074617402,131072 /prefetch:8
3⤵
PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2892 --field-trial-handle=1852,i,6095115933495421864,14195475601074617402,131072 /prefetch:1
3⤵
PID:5152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1852,i,6095115933495421864,14195475601074617402,131072 /prefetch:1
3⤵
PID:5160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3552 --field-trial-handle=1852,i,6095115933495421864,14195475601074617402,131072 /prefetch:1
3⤵
PID:5552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1852,i,6095115933495421864,14195475601074617402,131072 /prefetch:8
3⤵
PID:5712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=1852,i,6095115933495421864,14195475601074617402,131072 /prefetch:8
3⤵
PID:5760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1852,i,6095115933495421864,14195475601074617402,131072 /prefetch:8
3⤵
PID:5768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4900 --field-trial-handle=1852,i,6095115933495421864,14195475601074617402,131072 /prefetch:8
3⤵
PID:5840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1852,i,6095115933495421864,14195475601074617402,131072 /prefetch:8
3⤵
PID:5964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1852,i,6095115933495421864,14195475601074617402,131072 /prefetch:8
3⤵
PID:6060

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5184

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5920

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5540

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1852,i,6095115933495421864,14195475601074617402,131072 /prefetch:8
3⤵
PID:5812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=744 --field-trial-handle=1852,i,6095115933495421864,14195475601074617402,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4260

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3476

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4952

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1772

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4072

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:380

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1912

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5112

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4376

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3800

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f1b1455acc822f738597199935204ba0

SHA1
14dcab5ab83fb5963069ad0291aed7c9c9d668ba

SHA256
919801e8a4b1690b60c6b088b9353f9bf26c80950d8305bf6ac2b5cbcc79862f

SHA512
bf8e9587e753614146b80f3e5491d491cc38d09ea2863138658c549bdf128700496537ec8ea198be3ef7862b17febe1ad0aa6223b9da197d6b8f45863df57f56

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
fa16b96230dc206c5cb8865a86f1ca2c

SHA1
ac71e82b35a48277e0e840c4d7f49c3b777ece5c

SHA256
4772c5affe92045574ba5072b58ed2594cf0944217c7eb6b0086680d3674b56f

SHA512
5d9a93d74d22aefe279f5a75f6ff928be6ac511131ecb20dc1c19972d1ef410b8856d0652a33f1efa189e7f3d4d25ec809a67ae3a43e448ad0f5fd26c07c2e90

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
a1c2b6650f0757b7506a91219e8064df

SHA1
97d13beb8d36fc914e9ca434a4059ede6ff0ca8d

SHA256
06cefa8f28dddb5f411a1746454edcac2331f21c77469528f19c50af5b0650d9

SHA512
fe918c56b375a4d1996408912a5a00424d323d8106abf831ff8f27482219a3e1f03e1f5d79d8d033811bd6f1d5c9e8e08357b2313d7ef30d9bc3424bd74b74ab

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7708bb6f183369a410018c8f05ce18a0

SHA1
b537de103901a5edbd975bfa92e709dc39a408ed

SHA256
372f1b3a3f5adc0d0cdd2ee6516547df887412b7a9f284e904a2258593182ea5

SHA512
55ad0c0193f59efff4c2916d044616423efee87f6d71392bd22279b31a5d9319fcafdb247830125499998044bcb60c6da5dd91f9c92a6b338a653c5cf9e81dc9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
630c61ba1bc8f54ac97866025d3c996c

SHA1
8e7eeedf699b68686d8b8ab479d4a2d7fe21e729

SHA256
a2aac4480dd51a670e1ccc15eeb5313ab4265199f68d3110aba050532af56dcb

SHA512
92cc2d61de1f8a6522e2f5a0af1ff6ed08e7a4240e6b050ac7d30c401339ecd1c4d7044bc52dbcaee07f64e0bb37e083885e4428b2807ef8dcc4994e01c215fd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
8d5c61bb9749694aef9b93c4743d93e7

SHA1
7f9e41771c3920a1e74529385bdc1b8d7009bdef

SHA256
012dd7a0ad794a9123d6e48457b564fe268367dc6100884216a67052ef5c9292

SHA512
35a6f2b91ea30b5205cb29c5ffeba4f71dbe2dd89f282e0392887aa8810281a49a06e77df0f1d4298fe8208cdaf34c843562bc943bf56ce76eac1b5b59527376

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
42429cd285752fe5bba926fa32f80335

SHA1
5d4712547fbb1445466965d24db41f099587c81b

SHA256
77a3bd3b947abcddf28b840701b1d97d6984e5a4fa41f0938f8e35a9a986675d

SHA512
8a442dd8447c0458164b955bf2d3dd643cbfc90d4e2eee1302fbd0cf1b7b160cf5fd828f1ab1db3a8f4698996c5349e1a397df5ede87ed47715d4d273774290a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1d76207b9949f54bba700878037c579e

SHA1
8b921f0b71c6a6357f8e67a013958246910c8344

SHA256
3cc40edd7fa7ebb6c5ce2b75353fc49d56e28bff6f9e440703803b21e76059dd

SHA512
06d7e1e490b20d5e6eaa3540f54e611340db4121f832e07787bb8155fe9d5e45eeb960527a54eb1d8e50c9c227f64b1b0f23b3c838f80805dde13e9dba75dcef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
822b567f9286ba034bcd68670949afb6

SHA1
1696665eaf979f8748ea6cfe7224c41317469001

SHA256
87ddafab6a66e56acd82dcf5d57bd1abde34ba1914361b7419b5ec033b7ad083

SHA512
6796efae6a225c5f5213eed50839f1dce5ea7c295934be570c0edd76f5c086e16351a09d8950bc4c4eb933c1c314e5318d67fcd96302b11b4f5317d4d8ab84f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e02e8f020332cf640c603e5b541211d6

SHA1
c98c62078bd3879c0c7e21217bd8576d19f7978c

SHA256
5db4ac72cdc4868190e5413be4fbd9db65336b4586dcc034ad4e48ae69ec2c0e

SHA512
eb4f138402282d9ab48ff1073bc6a46c44de6944c1db47ec37110a6a9f61da8917392826acf2806be709a8cd72222f6a3551fc3894f3662ccf3ce9f6e2ae1687

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d9dfe10107cd5e9eec7a2fceba22c8a6

SHA1
0f8154e07ac8f107f582a6c5620ab1ee3b59c711

SHA256
2d19d51cce05b06c94e2907b36770348d2abf180ead7f093b00705095eaf724b

SHA512
9c43ab5434dcc521be3b2842b5ab9b2423bd0c462b5200809858a3c550c4cd104f0de359159407382bca224d967c397edf31ef1d187ad5eb5d4dd115a9d2b907

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f1a82208b1d460d9d9ecb4ee0f7e962c

SHA1
ac19d379690a30854c7f8dbed7de46a19824400b

SHA256
3ee9d9be29270a6a83a25c01c41b76f7f5b168f470608531b42cb1ac01e6f2de

SHA512
5fa317ee4d7f6a3f51c81f85a863c8e20f8c82608a61b292e982eace8a90583b937a33f393c9672f0e185715a6df914b811ccc215b1772417441ca696766f2f4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
1108a7b14eb8a480912630b1aeeced0b

SHA1
926a67a53b505178f63fd22c4215fc93958f0b8e

SHA256
9ab651c58b5bb065d2cf79992d7fd9124101e87c2ff75f8f1fd6fa5912c5ecc5

SHA512
ce9b19baf1a78b650619c8c45699c41585ea770fcc7d0c46bb68cd65ade9171d2c68caec9b5081782a46601135c9befe02b55b1746ef67461e6c620b0bcfa502

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
bc1df435d607eea377480793cab7215c

SHA1
607c2e4125c4384f2cfd65708e997db0828ae7a3

SHA256
d875fb1d444adadaee1734be5301945f67af9b03e40d57fcd611e7aad15da97b

SHA512
18cd9ccc5a6ab438e70e5b335d8e1b3513b07226cd3de27c5beda010531d26fdf2a81c06eb58460e76b0c800b397c62ce84ec51e857aff49e702905b4841139b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
34724b9865690e6989d7d05f29deba95

SHA1
feead7f0950ef5f0f1c77038820e1ecfe03c6bb8

SHA256
f9e02a0f5f413c50708727c08820ce2a0149cab20abe2a7d8e81b121716c6cba

SHA512
cc095b87c21efff93b658fbdbf627a36a014e9ef6f2881a1a4e38784598c5f363ea62407435588fea5c247490ca3f38565b8142ce01e945ec811eb309ad99326

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\664f035d-0526-453f-88ed-77f3632ebfec.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f77953038804e09f18323d04eb7a8510

SHA1
2d78df5ee47c2c2c6a9f017e463415957fb725c3

SHA256
d4c3d04ffdbce5d101bf9356ea37d89ac7acdb11c4d7aeefc3f5ffcb3731d65d

SHA512
a83366b149c8a1125081c8ee434595117f0c83ff6afc779ca5468b65cccc9b576d6ca60c79c7b017d7d0f8d7556f87645609c2bc48127fa25980439405a79fc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
90b8e3c077c7289cf4b7078243e26f76

SHA1
c8e3387c59c20fcff770b846e972a52f7f93591c

SHA256
001c51870a28710313d50d9037f261881517a384d3e502d9112b04ea2e8538a1

SHA512
4461003ce00d03608509d7ab645b933ec95c398623a1d8c6440c8a5b069d32e73aff391a1d3954511dfca7da698c0820970017b66629e3647800e5cc3920f1cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7736a870028c4c038b71f4483e41c816

SHA1
ba663656fefc0bccb9a6ce9ee19db3460caa4abb

SHA256
3393161b721cd1b827b790f3e810e9085045158246367cc36266ecc219c6308d

SHA512
5fdf6b036a04989518e9295df98c2be2701fc2e9d7d0a8b28f187a0fdb0ef304652748f74d3ea8818bcaa3d9095205fcaf1afca097ea46b1766098948c29014e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
e30ca081e575e2818ae17fa22bb23acb

SHA1
38cc43d4a8db0cbc49c98c320bf810c632817715

SHA256
3ed38ca2b3abd2d3dc127f3451583380e3ce9799a01d37b6e79fad997afdbef1

SHA512
31d8a3df07faf31e8c19c7ad3220cbed0e33a7e6ee86b493ecad59dc031e80270b025012bb3efeacf52305e7f7c297028d4709e190f866ddfd3a7c7a2c941e74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
04362a0979ce114054cc12dac3517138

SHA1
597269a7bda2895036494d70e7d71f15a7ce7369

SHA256
2b8ece6b562165da9c6242776b5f30fba00b5ab1bd13e89e8600cd57c3942b9a

SHA512
84e2fdedb34e58873c6c2f450a5e00e4799b0b2fc05c92f31d745917ff40271a9936b512331eec004c9da9e3f483079ea3724158a39ab678a56c47e1745a1b01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57665b.TMP

Filesize
2KB

MD5
2439032641f0c53dcd64320bfa02af0a

SHA1
a1820031d22a713be8ff0a020783b7bc72860ae1

SHA256
13f018fd7e8d456a16ab52c9430b449ed2f126386dc10abb8d01ff752f92db72

SHA512
d9e02ab626313b138f721b369d987f45e68682f6cf2d76138195cedc75cea2237cf36677173a82672bf54ae9fe480b54f42c76af18e8e4c6cad76da85bc178d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
8a58bdd28cac90b3c755b32c863264a8

SHA1
5c2c573b3422a22d033c2adb5f22bd0a3cdaeabf

SHA256
848683611e9ef7c1e88309182f517565a32ca4d1095a4617cf996eb8fc29375e

SHA512
4692f0eb0228f147fb26880b5fd390f8927046dce97ca8aae0f52ce0674f8f4b25077c5ea0567ab523b2492338ab2a162f8df579cb507d4487f4d2211a1683ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
51d123b51e3cd3a1d215f1af918c9457

SHA1
b839e4d350dca327fee9c79ec9b113f6c565ec22

SHA256
e10f1d2961675e088bf5e595bbce87b66912e2d3401e3f873237baa805842411

SHA512
956ae6d870c21011bebd888427e474cf81861a30f03d71eb9fc05d713d66daa543732ef1c9ecf946143eaff129096ba79157d7b055c2719c10db599c3ae7ad12

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
36e1103c5f6ba1159d238e4c62fc71d9

SHA1
3098e9a0fb86567b246c998f941528b32799fcd6

SHA256
cdd8b04a2ee63301707f798b0bec9730b9716ee5cf0ca101fb17df912b425e44

SHA512
23cd542aa7c7ac1f65d4cf70e550834a9c0d0e3b245b6bfe8eb4c6dd1c2faccdbf24cbb3d79e1b5146cbf401170b9fee068be11cbbe3189e8101699f734afc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
55452d2e4a1c08307dfd2435a4a385c9

SHA1
71ed9e346d3b174276afd42dcbf5c82e1046cf1a

SHA256
8f1a38686f295802e6a45b78f5396c304407cce52dbe0da41492b746cbee1a62

SHA512
838cfe24e55506084300525ade7d4bef82db74a0900a73fee814affb56522ca9b42fc0227acbdcb0ea29b406c4a4e70f6230b0797046879934dc5c220566bdd3

Download Submit
C:\Users\Admin\AppData\Roaming\6b3327a98beeeac9.bin

Filesize
12KB

MD5
98ef9d95f3b1e9c305fbe7abad105493

SHA1
681cb7a8eb7e3dea3588e5e74c5788a100ec80ab

SHA256
463b6817a907746caee08eb81b704f55bd2726014d6d57468ff1ef0a6970aaab

SHA512
36862b259c36d2b77f76342f366f55a0d7c3822e5b1f5915d6837198ac09d6b4f2dcd3758c40e32759e98fe7c111f7ad86ca1fb1f6c7e1586636fc4c6c654dd1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a3fec7e83112cfdb4a2f7325c6f07ad1

SHA1
ade4046b8083abadf38e728b266ae966525e7e4c

SHA256
3871e97d42d318007c708ef2bf4b38ae9dd3d8b949c749786e28d76492f10c63

SHA512
8b7b28e3a644467b3334d8ebca7f15172a147eb9d48dcda3ce2a8d78ccecf4db640575d37888fc3fb1ccee0d1e689e9fff40d98e7c84a597725160b2a7b30e66

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
00dfda03b9851665a4bc5046aafa8f93

SHA1
efc4691e3ae4a62319ad4d8d07b3de3e7dff7af8

SHA256
9b66a70d08e4af30d725fd9ed701b5420027567533bd5964cfc8282547dd9df0

SHA512
3a135ae485f9bd8cab7623439cfd86e8bf33cac796d434c1deb9db74087cf268b14ac14f536e7bdf40a5b617fae0b95140aa67747e3e758c24fea2e6e9365a12

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
52658c6fe03e85700f4e781b859aa67b

SHA1
5fc949d90c08d16b334cc8a138af45018f225b1e

SHA256
24f1319503d8fc692b5b46addfa93d039f76a7d7670cd5ce4bf6426964b42efa

SHA512
1187cfb8f2008368601e923edf9cfce0ea58177a0daad699e2c54652fb24086e63ac4d8814c96b4ab9ded0aabbe98410c4ddfc0ceeb894ec9cb5a4cb7f938d86

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6c4882a9d000c7cb2d5d60fbe3d2a4de

SHA1
8f9fc53c9ef173e4cb93ec0ea013c2fd395c39e1

SHA256
5060433c4876810a8987f09314f9d839c15a9d85e1a074f3c40b4303bf24c993

SHA512
7158667ce8ecea85d0b2ddb37f82819d93044ea357d240e80197698f4ca2f5229de38c4fd2a5a3074f9460fa916154ebf9f8b6ff2e0041240f3cdc98d56015ea

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
1e07a3c2976b2251c831d32d9422363b

SHA1
4fb5970d9eed4c5f0f79433ab525fd578be4929a

SHA256
e958b6148e2e846a03715b79e2916404620b87b386bdcefe2842e0cbc6eeef6f

SHA512
3acaac5a54b8b9d9ba14d409bd71b25e50ebc638659503c7e916ee30c1a85c5f08b2b637bc9de03837b84b7c09861ac63be5c2cd309fe2408b65fb9e6e5c5eaa

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
ac718db428f284988976327d47ac3143

SHA1
a0daa6cc7eff2eab2753cb85ebf2b2fde94dad00

SHA256
9029b24325f58649caea71395c1be5739ecd3de9156b4bb956fa9cd4de37e0f1

SHA512
bdf78e3b0a09739be8f62008cbe713b77ea902861f1a7c1078dd29b9b4de24e99c1b3ba7ffe5f5e2b8109265a160c8b105c1161be864b531a12a24b7e961cba2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
f13c21d260e22e9790c22501583d6b41

SHA1
a110cffcdd49a45d7a21dc00a193f1dd734c8847

SHA256
5ed5008ccfbeb34c4f6615624d14f71c02e5d592be8c5a6866af20e3ec16062c

SHA512
9425a8cd69feac7e2c3bdaae066ac8394bfb67523cdbeb945e79d71e9a0a731a46cd56d6a833aa4c7b777e9dccdedad1ee4243bb179afda352a42c9d884619a6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d11b7b44512db549a1e284c2a59d2117

SHA1
58e966877c7fc4eb56a98dcf7d885fa3122529b1

SHA256
cb9a7c5b31b8562806f92163921dbd3f786e4b265b78ca39dbfad70b6f198e30

SHA512
c1cd654c9f236e5eaf52f4275e4599bcab25f713f948a6b218072cbb9043e4e46cef133d51f9d8d5b5afc453341d4d0d4cdafb21208982aed00aed9187a7c337

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
71926e2804257a52537db6587c563fd2

SHA1
f9373239f1ff92a6f708d3194233747a761d6a80

SHA256
53f7c637777174a49a91e058989b1fa165181c8fbba228c91c608aa50c524df0

SHA512
09cc7d375427b3058e61ce197db43fe0ee310703aea4d2810ee43844adfb1cfdd1eea42d5746869e1fc5957c5740d787d133c9d816717526365f28d4bcc23269

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2fdadf2e232eaa3b743dbd86d16e5bba

SHA1
d3754f174aba02b93ffa7867fb946e199b6665ab

SHA256
b05072bb56f120e3d7ec3eadb3697461b697bd90d52375c49c5935be45024157

SHA512
ef59fe5727cd32ef8d53390465488a0f33e32a62d420f4b087331e2631f16df86addd0bc44402228fefdafa51eca77e11226d7f7e369ec1d8b20e7b14d9e30a1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d72330025d4bb79cf0d68b57335ebe28

SHA1
256514fdea2252748a47f85dfbe709c44107a125

SHA256
bab5cd3f6c895ab55c1d2e24eb01eab9c51f797d40862d867d18c92ab68076b9

SHA512
13ab4d5808d88fed9c83fedce31294b27b708ef3d553999caf726e38dc1bc76ca06b9d2399162207bc05c262821b38134380685044b83ba3e82d722dd6d28f6b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0675b2468f1678d7489295c376f9b3f2

SHA1
5c7e086fa9149bae3175eed1745dc7e3862a00e5

SHA256
254fe9b3674752fbab4fc6e3d26df76644338fe6a39e24d5162cfa3933877173

SHA512
a0e5798aa96530a4c5920c6cd373f6792d6578189e2bebd178aacab1a506970db47427211489b9e731038678d1f9cb7e2729da66ff172a5343305295477f78d9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
027392dee926250ce8dbb3859e692939

SHA1
1baa9a35cf4f820bc246c5b14003978913b30f19

SHA256
415e50f08195d4a908ff56b1ed5b90d1d51d03334e552ab4d3d6cf7433e47146

SHA512
ab912b11cdc6a4fa7299650f2866ba2ece07edc0dc12e5b57cffeefd3d654d64fe4fef1b34b5ff577c618d9c43885915d633fb05f3d57fc7753f1e729c75c35d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
102dc85ce9923c0d6451b052a0e94029

SHA1
8b75c6361a0e1437f7e88fecd69deab9137d9711

SHA256
a8335b85d9cd9dc91f42e11c61e36ab5ab4979877b63fd87e55112f99dead223

SHA512
e391f082cdf6a356ef9206c6ad22d080b243763bc8644c7906e65f7a5fe5d6e3bc70e8b826fdd5fc2ecb78bf5c069f2b4e523bc5f9372f0969cd3edbe017e983

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4194df988a641e75d36c16c9317c1c3e

SHA1
f253fdfe160860ad20ab244cdc7bb44ec8dcc142

SHA256
4e98551f12f19af83a4ac85e985c706e26b74a88f380bad8c7a72ad4c2173ed4

SHA512
369ecb11ca6bbd48e36f7166138fffb46e59c149cd522ca537fd72cce95b629b6ce5cb7ed354c640eea07c7ee2249b75433ed75b12cc68f0858ef3454cb2a596

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9598c108fd58a0a8861e3b0d02a54273

SHA1
94fee26aed7209467617ce9b261ed4756c803085

SHA256
61a75b8386c4e131f210a84ae8551de22a2357c54ca135c955914d6681207759

SHA512
8100aed08c91b1a26d11998803d8359ed1ebf79f24d4f45f77971daeca7bc47a95a708afd483d51ca6f908b7f576af5965343f10c923314d385e2e6f0fede676

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
aa59e7e9b9ca2e497832180563d9fa3e

SHA1
b24c028a3a18234642132a53aa29bb3d098a8069

SHA256
0ab1675c528abce2b7cb0f40be82abc11985e07dcb16033ec6ca96b0f17f1f61

SHA512
63dd4eaae86108855f48b2a1bea4d1ee1f31bb84ab96ede280df56d52ee7ebd151b45bf82a1b595fcf76e04342dc6072f8fda95bec78b717a2c1ebb53cd11380

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4a70213a472e06fedb4a6dee29428534

SHA1
f13325f491d8ad54a0cbdf877054b8baa18d4a20

SHA256
b53448ee60b71e11c2c4ecef013243130b97758b4ade4a4fc75bd73d48f1f5e8

SHA512
d5198a58375c9c096394ba312590219f9f0bf70bffe3350b1c6de80c5730d0c82088d01fe43685bbf3541919cce9680bd51fe8d295f0c2640750a57dabb9f116

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0a8c17e97526f751a8aa475e8c8b7983

SHA1
2cb070d16a547e867aca22af457f13c44c17d0e2

SHA256
81519c37e7b764606c063607c2fdc287f28845aed7cce899222c4f714f16f860

SHA512
40a71708d63ea949f7132ef01340b3202eb349119623aa849b0e103e4b7ddbea543ba7ebe98b255eb58e26ac050c09a1dde89327f31deaa77f483dcf16136593

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
108e12abc853e1b59d293646ea4d6ef7

SHA1
f01f15c30dd4315ad2d55dc2f71bee609c1dfde2

SHA256
cf5caf302c3afbb3713b590369c0ac58db76333075a367364002ba9f36cbc4ea

SHA512
acf20179fb183ac59c5c2570ffa52720e4e8a45fffc18eff9e888c3c745a8068eb0d74526c45b6bd8f6eb17f8f0b07327593682a661047fa99d71b866566a911

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3082448b1f409d4021986df0fe4f8226

SHA1
f035f24f441e8175578e2b1ccda2d6183e1e3a10

SHA256
97ae0d083c87807122539cbf50cc3591c114a1b698d1c84caf9b5744c551aa2f

SHA512
97f49ba39432c09745d656517f8a03d03e780057e27ec08a81e95fa904019ae5bce550a752689ffd18a034931e97b2d84d69f32ff7552ca923fabf47dba0ded3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
6fddcabcf68eebc91f388e69547a7957

SHA1
388df72115d1d7c09bb3197c6fa93e26e6113740

SHA256
62ad17d08922a4938a9bbb066faa7b9ed6e60d63f5cc19920ef5535dee7fa628

SHA512
d16c77b6a6281050c575781f80e2585a3d80fbcf8c9890c54df109ea5c1d7149ab5769b55a1daa25f8b839987e04ff0a078c20aa35e7a4edc3858b0ba174f80c

Download Submit
\??\pipe\crashpad_4404_DAGJHPVUCHEZKAUY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/116-282-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/380-276-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/640-321-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1408-645-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1408-328-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1416-277-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1772-643-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1772-273-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1772-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1772-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1876-280-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1912-610-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1912-279-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2240-283-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2344-56-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2344-68-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2344-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2344-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2344-62-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2376-91-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2376-103-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2464-278-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2576-644-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2576-326-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3000-284-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3004-275-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3308-626-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3308-43-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3308-52-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3308-51-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3308-50-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3476-611-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3476-34-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3476-33-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3476-40-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4072-274-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4180-15-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4180-6-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4180-29-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4180-0-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4288-325-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4296-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4320-71-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4320-67-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4320-400-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4320-77-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4612-10-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4612-19-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4612-575-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4612-25-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/5112-281-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5184-603-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5184-549-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5540-592-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5540-574-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5832-743-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5832-578-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5920-564-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5920-742-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download