a81608e3483538549365b8cb7b9f24a8838e94d2bff57a7971eb4d2be163ddef

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
Size

5.5MB
MD5

1ba7ab013ddc19b4cc6ead9f48b192bf
SHA1

bf323585fed984472359cf6280a7344e5cc05c8d
SHA256

a81608e3483538549365b8cb7b9f24a8838e94d2bff57a7971eb4d2be163ddef
SHA512

0c64b1fd1e4f3b805ace7dc0c287c3ab68f86be02faa83fb634477ffa39c30e634586351c145e541d3f5ee03c85c9bcd84ef0fc1a251060588fff21f1eeec068
SSDEEP

49152:oEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfO:mAI5pAdVJn9tbnR1VgBVmmhG/2o3p8

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 24 IoCs

pid	Process
4228	alg.exe
4472	DiagnosticsHub.StandardCollector.Service.exe
768	fxssvc.exe
2148	elevation_service.exe
2160	elevation_service.exe
2168	maintenanceservice.exe
4048	msdtc.exe
2904	OSE.EXE
4620	PerceptionSimulationService.exe
1796	perfhost.exe
208	locator.exe
1656	SensorDataService.exe
2128	snmptrap.exe
4212	spectrum.exe
924	ssh-agent.exe
4828	TieringEngineService.exe
2416	AgentService.exe
3772	vds.exe
4256	vssvc.exe
4308	wbengine.exe
5704	chrmstp.exe
5860	chrmstp.exe
5968	chrmstp.exe
6036	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\726a30f0c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080a96b0ce9adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8d0160fe9adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007adb8b0ce9adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006833910ce9adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d73a7e0ee9adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035c3970ce9adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610355392762692"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084a67f0ce9adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
5080	chrome.exe
5080	chrome.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
5080	chrome.exe
5080	chrome.exe
5388	chrome.exe
5388	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3220	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
Token: SeAuditPrivilege	768	fxssvc.exe
Token: SeRestorePrivilege	4828	TieringEngineService.exe
Token: SeManageVolumePrivilege	4828	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2416	AgentService.exe
Token: SeBackupPrivilege	4308	wbengine.exe
Token: SeRestorePrivilege	4308	wbengine.exe
Token: SeSecurityPrivilege	4308	wbengine.exe
Token: 33	3628	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeDebugPrivilege	1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
Token: SeDebugPrivilege	1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
Token: SeDebugPrivilege	1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
Token: SeDebugPrivilege	1956	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5968	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 1956	3220	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe	81
PID 3220 wrote to memory of 1956	3220	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe	81
PID 3220 wrote to memory of 5080	3220	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe	108
PID 3220 wrote to memory of 5080	3220	2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe	108
PID 5080 wrote to memory of 4520	5080	chrome.exe	109
PID 5080 wrote to memory of 4520	5080	chrome.exe	109
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 5076	5080	chrome.exe	110
PID 5080 wrote to memory of 2464	5080	chrome.exe	111
PID 5080 wrote to memory of 2464	5080	chrome.exe	111
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112
PID 5080 wrote to memory of 1028	5080	chrome.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Local\Temp\2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-24_1ba7ab013ddc19b4cc6ead9f48b192bf_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e0,0x2ac,0x2e4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffba347ab58,0x7ffba347ab68,0x7ffba347ab78
    3⤵
    PID:4520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1944,i,11803963664129310505,284420078747288787,131072 /prefetch:2
    3⤵
    PID:5076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1944,i,11803963664129310505,284420078747288787,131072 /prefetch:8
    3⤵
    PID:2464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1944,i,11803963664129310505,284420078747288787,131072 /prefetch:8
    3⤵
    PID:1028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1944,i,11803963664129310505,284420078747288787,131072 /prefetch:1
    3⤵
    PID:3652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1944,i,11803963664129310505,284420078747288787,131072 /prefetch:1
    3⤵
    PID:4272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4280 --field-trial-handle=1944,i,11803963664129310505,284420078747288787,131072 /prefetch:1
    3⤵
    PID:4288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1944,i,11803963664129310505,284420078747288787,131072 /prefetch:8
    3⤵
    PID:4532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1944,i,11803963664129310505,284420078747288787,131072 /prefetch:8
    3⤵
    PID:2696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4648 --field-trial-handle=1944,i,11803963664129310505,284420078747288787,131072 /prefetch:8
    3⤵
    PID:5584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1944,i,11803963664129310505,284420078747288787,131072 /prefetch:8
    3⤵
    PID:5648
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5704
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5860
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5968
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1944,i,11803963664129310505,284420078747288787,131072 /prefetch:8
    3⤵
    PID:5108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1944,i,11803963664129310505,284420078747288787,131072 /prefetch:8
    3⤵
    PID:5708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1944,i,11803963664129310505,284420078747288787,131072 /prefetch:8
    3⤵
    PID:6132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 --field-trial-handle=1944,i,11803963664129310505,284420078747288787,131072 /prefetch:8
    3⤵
    PID:2696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4740 --field-trial-handle=1944,i,11803963664129310505,284420078747288787,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5388

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4228

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4344

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2148

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2160

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4048

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1796

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:208

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1656

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2128

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4212

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4456

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:4256

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4940

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3628
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5260
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
20af48c3c5b755f9b5ca8a9eaf899a29

SHA1
4e1170fa3bdd5977abc32f18f037da7c7b9c1e74

SHA256
0fe016194dc228794ccc679c614387c754822e5d04cdd63b401a6ba80a780207

SHA512
63e6fc5de698a34c6a463cb2e28e7fbc207b9c5413233428b9b1ca93b100b18ca49974b27ba7f1eba7ebefc4acaf857a34b96b5d29ce72c08ce0704ee8f14ce7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
75a2150f0e40987e0a4308a776f51d87

SHA1
d16c8323cffd77ad04cf757af77cc55ac04ca621

SHA256
b827216cc71b5806a816696193ded7129fce99a6ca663083b7f316993187cac8

SHA512
c25d4897d41dc24219af96c4cecde1c856de1795fa6d1021ddb2e5430ca9ac7a7875555cbb31e4740ce1a89375f9e5a33b1c9d5f9806b51922b82446565785e1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
cd695a34f1d337ad5e10dec3d7313198

SHA1
93faca645f6dcca85fd2b69c2c309cd552f50214

SHA256
3f517653868587234551e7be679fef7dcd47a00f06e24ef0caf07baaab47b813

SHA512
e8fb5a21ba2edd591590dbcb195547af544740b09701353d5c4d2d96ec556a45ce39ed434196839cfe96e766bbc190118f0413416519281c5b16f479b862afd1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1851c3d2af8fcefbc4a3a97b2d44675f

SHA1
cae4d3e298774507fac5a8740d2619798aa712eb

SHA256
81536cd97e995fdbc851507bd6cd2933835b239a1e5dcc7e1b4058a8b477dff8

SHA512
3974b66fb4bbea23b512df0ead71d0bf7f2ae3fbd5cf1bc44770bd2c0dcfb8c316ee02b035fb5c8ccc91a2abadfcc9e28ccfa8f7309e187c59fdf66835b15590

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2be744efc596de41215b69089569bd90

SHA1
67819f46521583f1c59ecd7af56a4f5e2620bddd

SHA256
824844feaca8d3b0c700f7af4bbfd4675b9814dc0a45dd43281f32a114151861

SHA512
26f762677652115819641abe06f6c38209b94cb8ec1b3a715e6d2737cf323fb84c2ca62b0b1c287b76b0299fd00aefb19c12df50b0420db1749d564f34f0a450

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
0e5a7cc03655346d1e9fe9fa7e8f9e24

SHA1
1465a823c866a5f18a1dc5334c3f488f3a5f6828

SHA256
7b5e89c69386aa05fef84649c2093d707d7a71d171ed8dafbc92d173a0b095c0

SHA512
0e4dde76678cad500de8795a6929594711aa5d10ae757137eb1154f4e7d9ddf09192499693ae6396e9a7685c81a575c9d7934c51d7e26d54fe0d04be7ec48b9f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
d291edad323e87c386821d3e8cd4272d

SHA1
2a2f92cda3cf155d534dc9079562c34f31eb0dd5

SHA256
1ac8e957c9f2af3ca622a034a6fb884f795f61c6f71cb02622f31aa28b72bf27

SHA512
68f908212b1d62eb88ebdaae501e720e7f621f4bb102925ba636eb3108f7f934da5a6c4098574b8f005be73acc0d3c85708920ed77e60d468a9382d15a1062f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
86d4a2cffbcbf521fb175136db00c0fa

SHA1
3016bcd0b0c9aa871e4620e223f83b2fe0052852

SHA256
83104dce7ab9d831f8dbe599ace1ed500d3b3b6545ac045d3ffe300a11aa3d32

SHA512
eda6ecd4a338d1c38096bceb40dae60a128b427e2170340731b28b917b12e6e98a80f551ffcd2777dbbb692d32df40764577c27f45c24791e211a993ea4f93a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
afc882668b89c9e44e4fd489c812fc8a

SHA1
ce444fafeaaad9a1cc9ea3e3e9d6884b4a5d5626

SHA256
6c8bc8bedf55144c9cf724a7a66ddde3f519f50470f8e73dfa04174dfb279fff

SHA512
78d4d5fe8cbdc3c62462c93409177c389dc893af1edca7b19de1a7d7c64e585c6f1e6c777f944ed3a6a03881bf732c0d6a8addd150607c8d6af74c62cf3c3017

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5aabc55b7352562a71e1e8e3f70ac4f5

SHA1
e8bcef271c42342006cbf1758b8cf2d0ef7e3b2a

SHA256
b6b9ce841e0c70f8f220ae54111320b5a3a1a4bcb753d0d3915d71959a39d300

SHA512
34fe430b73245891afa3e14c4ca84acaa4487368f9620fcc42b3daa9d729a7f25b04da65e5922bbcc5aba5108710044006fe0dc5ff401c278c13030baf26ac32

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6fa7c520d510f1df46eef3df00f6dc7b

SHA1
9e46a2057788b195ac4e2f58ea1b9636ef46738d

SHA256
ae07a77e20c74c576aa26e3610921723cdbceb427dbcb7b408b6728e258bf60d

SHA512
0b1df9d9a218c87106dbb0d9a5d434c8e3791a24f50edecdbc7c58855b5d9923b0be6d081c31cb001f575787bcdcb152f0ba2b86913437e25e899f5f17abf694

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
8d3f9df28b62266eb40dd910ab9be8f2

SHA1
0fe4004c6ddf329410213178a0086236c6547b44

SHA256
c31239e640871c645dcb063b15665e2a3821e9f9691f77be4d542811909dfd1e

SHA512
5e990a00186cf778ced4fcc0488a26e579ac2a5f5bbc6147842bcf2bf4be946b6f9369bd069354f2ece4f99b10e6d8d4f37904910f0182acbd94df72da4ece5a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0586e24284570bb1cd557376dc13d365

SHA1
37f49c12d1bd1be38f288d389ddf8d6d132a91a7

SHA256
824db8a2a627f7814f9be57fc838e7bf032ed904b1e255a8b1205c88e8b54053

SHA512
3805f10d5859229a76eb4181958452e35297f05420568e4c0b1c217fc20a3c258ec5d9c8602638d219d03303858ed90735df02ef7758891ab269bc2e994deac1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
08f7a4e5959e8760cf6b6a0e9237de3c

SHA1
8d9ae4a88e331ed9fa78cb3aa99badda6f33931a

SHA256
27ebe789672375304107d5016bec47a64bf987073b9ca46b7a73f790b63505c0

SHA512
2b941437872ce8ae0968394607f1077777377e9912de6a6da3040c9f5f8188c56e1952ffca2edac08d55d262ca618170361f20e5e70e355892e73a16931e6e2f

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\bd0835ac-c20f-453a-b3c3-b27732acf25a.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e81487b535c86e0d2158a4dc8e023be1

SHA1
6ffa6dbe3e63b4f9cea6f6f019e3efca024d6c7d

SHA256
07e926606e0d03c6864e4478f26c3484731d27eaf82799d3c199b0ad5a6650fb

SHA512
421d730aeb8541c290c1ee4fea737b61fc57d1aa5acd6f9e78c13c464e48b71b432bf8021496232e2a67d9b4d3b681fe67295f5361906c79fe2d005f62ac6485

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
21bd83c3b0d426d67386d8604ebe784d

SHA1
8a11047b8d895f547048f18c338000355de87d7e

SHA256
a74c4821ab36e938bbc6408a55d7435e634532d4527493974193cdb3688553e1

SHA512
b16b01cb3e42354b7d1308f2d4bac88b1edf597da49e7e84236527968b925a0bdc51a48e16def89bbea7ee9e7dbedbbd705380e31fd53743eeae8a7bb3981690

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
89f55681cd116518c116754e0407b2c8

SHA1
f5d4aeb85e94ba181091d6a1ebca93915919c9c6

SHA256
f36101d056932eba1217b54d3ee1c54e0c6c4120087bf1e1e0781625d2be6fc9

SHA512
8db0dc249a77703508e63c8314af4bddcf54ac4f887b26409f743b344b94f9afe762d266cbac8b8097ffb28870d40841c7f64ed60acd087dbc1768db15b1c0cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\7aa6252e-f782-4382-85b1-0d6d9493037d.tmp

Filesize
354B

MD5
ef3ca2c459384b93dd1b8f78de3ef872

SHA1
10334eb40940c55dc2ebe02157459784d6b1c163

SHA256
0b21bf51ae440984a7b15d4d8e38b7c8ca2def3a0845860e562bee829ee15078

SHA512
1b1e7fff141e06366a82c88ddb187d7cb1a60f2645f440f8754f952cb9d13ab235cec4d7fc916511440bfcef36cb4c60edf7127a4460c839d807ee06f23ddd46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
445ae6fb0718b4d43bd09cb3f91dcb2e

SHA1
24d0c0367a3ae6f75e885575908732435438fee4

SHA256
eafaffb35016e9e8e2b47e8cac0de31dd039f79dc3468f59a3c1c179d567cb61

SHA512
c475380f483f1d393acfb370c222761d34005f185116649b3e6ba41e7323b3ffa9feb91783ca4ea3edd9a29e75a444ed0ed26efbaa6886d6287f796976836b08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9af2f9488f0d4bd9dd8cf2467c847dd0

SHA1
b8e7c212f0df598d1b767c9ad232cd2435398755

SHA256
d3fd998d07c16bc2f5975ba0d9494f1ab729de0fd145dc75349e9353b880a186

SHA512
ed9045a27b3b6b4ec52afb4988a2384498c2275d02dd890c64bbb5cc1caeeeedad2cd28793ba1762dbc791da0efff3035a8acb610926108c415442d1bdcb33be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578d7b.TMP

Filesize
2KB

MD5
8e5632bb5baca5f24f88c9e2a8eb2b6d

SHA1
71f7dee86640b602595b40c6a65d7ed4498cf00d

SHA256
88575950e262396bd009db3c75b18b3a1cd44b7b869b90f9b2c961ce9b74c1ad

SHA512
def476d83ba944f2fe83839108072677672a230218192751dd5e37305d42816e2db59b6f368fe8d3ca8848542ac3e3732dea3a58187c1e14f372ff2f721dffcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
f7da67f0c1ce9ab5c840382873308361

SHA1
897b8d8ecdd65cb51d4b8d219d0cb2248cf95e95

SHA256
33cc25e63db89d8d80d06ebf71958a4627d1d40cab98b6fd30c4a1f1e774135e

SHA512
3bc158740b872b962df9492f86c27ccc4a90533256c14ce50f62fd4f3314472feead6fcec892c714387be31d8b803e538d6046a6fbb49335453385527417897f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
0c0ccdb729725b54082b4486072b34be

SHA1
a055ebb2002f2bc571850bc768227d622e62438e

SHA256
3fbc04e0c13d35821f0af8ea95cc481e70828ac91d11bbd33e08f01f6a977f1a

SHA512
c2ec89e7edd751ea35b7164d45da5d2c840dbce6204eebf96afc84452734515d2d90b45ef61b8982e29484e232c2cdbc8b07df33708a2268cb14739c043c4b9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
d3191cfbb5a7589a2f9c55cf3d9d68bd

SHA1
93450b65be6cb7fefef4ef790227ca4fd0220c57

SHA256
aeee3fef394573a64f8f22ffce88f05eca12ad21db3a215b42a98ff46c039dfd

SHA512
6cb0ea5a5be97b9c78ba2aa130df3395f1829b0bcb0076364db87885f8f500a8648ed9bea6317baf05442d03cf67e921f3132a077b2ef15993be21764d2b4ea6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
e0d029e3099a3db3b42c9e4967bf5be9

SHA1
ae04059234c88f0af713db7cdcddd1d010b1c703

SHA256
de58910df67d88490928da1cb9d1cd3a19e657ccc972e4eddaaba644fa121a28

SHA512
98f8f797e7c360d82c6b8e4ecb6d581d793a507a1d1103c31221f39d57102cf46e3c036f2b19051e6b95c64fb5729a0542236376f929ea1d35b8b150c7c83856

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
282KB

MD5
2e7b8da7cf841f3f591d5b9edc17cb8a

SHA1
472e7a7c25e130ededa415a144f38c68f89afd91

SHA256
75fe2d9a8346e468f194a10214a1e70e5991d884a32665baa00eab110e70a42b

SHA512
08efde20e1019b819bf6069f675f60b801a8b63f7507508db23273a0384f611c8d45fd718eea4d0b16527710a1396c99e2a01a6f0ed7ec335b5162079b2ea504

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
84ecb3dc0fec4196e2ad324e6a4d8fc3

SHA1
d785152247b4f5e07209b7c3c4ee904f76a2642e

SHA256
15f8a0879ac85ddbe88339192ab746687cce63d1f5a5bce8ac19208b3aeb8650

SHA512
f220a88d320ca7977447d97829def5ea70d285f972e65b60c98bdcd1736f27f395f63a00606c119b1c9bc0b60827b6266f9f642b4b59663ec9e0e515efd9a18b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5802d9.TMP

Filesize
88KB

MD5
0533f2c6d16126f9c15cdf55e7890c7a

SHA1
b3c16308219e41a3e69b61618751b8a9b2345366

SHA256
90c737877913a062a9a0f382cda5349c488efca5acd38b4af02c3aa2c5eabfd7

SHA512
9ef32c0ad13e5e3a21b69205b711107ac76bcde303bee80948fcf122c2c91dc4a34e140bb8e4de2792c3ef26a5dbca4fd4416c7895716d326d9b2f4305c71b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
dd1e09cf10a093875f12dc026f7b5020

SHA1
019d57e4229cdfd3b658afaf1ef06fbbb50d1022

SHA256
2cedb1ad98a3618018de58888e46c185e014900381b52f2192aeb98da20f5b49

SHA512
231277b749932414f4255baffc9f83b8e980efc067e7960ba58a5cf5b3f98d76f6bf7a11780cff60cde2d79affb2b1799e0ad493353281b1c3148110cf7aa4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
cd7c3ace9f060a13b775562c02b8e3e9

SHA1
3be069049ad1511c56d3245dda24649083728355

SHA256
582e683c3d063046973fa14a7d15d0451e90db4a0160d1dff8d6c4e827a14b2b

SHA512
9a7cbd44edd55d732501bbf4b8b157cbd6752b384aea7ab748edd94877eda8f439f07395fe812425a0b8d1d96481c8bb9120ed606aacc7fd93c849e39d00abe7

Download Submit
C:\Users\Admin\AppData\Roaming\726a30f0c8648821.bin

Filesize
12KB

MD5
ac8c8c7c7be7a1d4ca1bd0aadb69bd57

SHA1
0137960aae22e9328adff5bf0a9edc3150cf1822

SHA256
2929ca44d378ecfa31686941fe128c36761373ebb26086b959a6e02029feb46c

SHA512
d35bcdd0a3393986d5f3b28106dc18e92f07e6a0101208cfe715408a2ff3fdb6dc823b7d0843f117a3bb301ead80f28080021ad53cf530f0f8503adeca056df6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
0df3db71c744c2aa4eade79b040c23f3

SHA1
390fd903a0870ac49447f00ce3ce0032923246a5

SHA256
d663ad0e0e6a487b51df522c618e77b0f99a6f1ac3adeb21388878c07083f957

SHA512
e6314748d24844397a96fcf79516ae4c1576b96f39f3c380689c4a8c4f7eeef15dbaf35881c3f29368fcd5575dbff92ee2fee9328c603aa06f1b0d26a438d84a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6999349503f1ee66ff3a16a2bd7cd864

SHA1
70788102e2761c5b5e60898a058adb222801d155

SHA256
1f1848095956bbe4eec95c21636b06712767f1e481123ef7592d521166de5cf7

SHA512
3796a96418437b8d04831b1480dd2d9bebcb25262bccf63a1341143c202178d5b12146445becbedb2f8fdfe83b84dd2e27fe8b2c769629136b35fbb38b9badbd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
697dc627902fe287e7c9a742fba91e10

SHA1
7b7e503b643fb1e0aa365113203c578fdf779031

SHA256
2a981aeba8b180932780b36d4be10cfa1212f61e0785ccb349995fb0bd82b43a

SHA512
97fb4ee443a16980d71cb87ddeebcd9dfdb343677821b636964d78680faa325e9d4c5a242a1a649f4090c2e3d007915bb29f4eea8e7d40857e64f0b0fe45d5d6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
9fc623ceadb00ff1a5671554c385300a

SHA1
8ee34b9610eb4ab4db040b21b33c3cbb48ea3975

SHA256
a1b17b59f164968ac6b5e240d0f90a730a53b8e012457ae126e5d55e5727ede3

SHA512
7c619abcf6fe8808314f72457fc40f57d286510e70fb44da7bdf795d989d895bb9156c7332aa1b9105e90b96b41956f94530f1fbe9e9e907429ec77f8829a28c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
9597a5611303a08c40e252a80b5eed52

SHA1
a45ec7577ed1b98ff80ce82e82f3988b78c5853a

SHA256
7b5fdb01158d7242aac3d06ea8343d603e606f38d631dd56c63bb5b1c29a5b9e

SHA512
252ca783d06793ca0686a729d48d8c121b544da41afb20f2957c9540139f5c603f96513174a2e39bf0828df322742d6bfd8fa6813593cd613add7df0b067924b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
3ece4c4ee441c5348b1043fd525e609b

SHA1
faaf73031b35760aed4d9fc945d2117b04661866

SHA256
abaeb9639865d6c0d55200346f30d2275e14c8f48b0296ee8b2a195cd93ec6fd

SHA512
d74a45c18260889734e83ee4e972d71c96c8ff44fd78ec94e3f28644e6c180202214b7e6169b0f064761af36d174e3890fee62a966f138851a3e76d207471a17

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
10ad28d22e714c73b39d98c7cd9b6645

SHA1
5db6f25656576cfe57de409de8b801907b85fab2

SHA256
e1b9822303126b8b24e628dff6a8707de60f2c7756ec5c8be71184b705ce7fd2

SHA512
47b70d59f27e3b9dc9b21bbf3218edeb39be666d0071babc6a1f34e435b900c47200374b39db9b59046f3c3f6e7f420bb2e953e329bb848490569dfec15cf705

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
16d9e83f7cc16fcab4db4ae94a54189e

SHA1
44a8f825f320e7922709c47207ee9792e95199b0

SHA256
00ca02731fa09e29b93ae8e4d33b8d974282af65f9b778d326b509b56764464b

SHA512
aff8728fd68b983043315cde8cf0dabb008a4d0fc4d42ce8e5621832af339687967697fadda0b057a79828e280cf6485eb68882b54a07f1c51c727592089ef6d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
4faf3a70521c0626fde363f237fce0ba

SHA1
ecec59e6550704ded0a378a22c57bd0b7fd40d6a

SHA256
ac4a23957aa7f6d473ad33fc53b379d39de1482ed190db8ff19f712c2da306d4

SHA512
e6ba08d6f00436ab465c628e2d3d82bd717970795abddd353ed17a2a48deb4e7e7ee46a2ba5a9b4c6d5a15bd0ecd32b909507c446e2c40ae21889f71cae61cda

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
87e1d56cc335dec9a43e0ff529903dd1

SHA1
835b792cc776daa363bb0f28eba2f86ca6232082

SHA256
60713d24ef0a54d581d1c427c5d2f5a44a3eeb76cfddf9580852ec6fd55d5636

SHA512
691c4f2d2ef0f86cc6381e0a3badcd7e242226a90428709f7df861f2f81deaff40968e211c8539f86ae8fa01bb9ddff509178fb7eeb0a5682bf05584e89c0dd2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
9f7466c772147890ed61460b53d83eeb

SHA1
72dbe2bafc41505ad1f799c78735eb9206f669cf

SHA256
aefe47c1bf1225164c137c3a54e06e00a5814051f2f679db28ea9628897bdc13

SHA512
49141c8cac40c5b2e3a2a72ed8f5ee007b435761a959c6fa12b33c6e94a71f435c2679327ecff8d6f728be951d9e7ddb6252ac0346742384188dfebd10a53784

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
1c26d8679f4de5d6056d8778b3e45511

SHA1
e8cbdba1a08a83dd92a8375bdd215a8e6ac1f769

SHA256
527cd34ba8d8e9eb88a28e5e06d21e6cdbd9e9747c8ee9912cc50366692739dc

SHA512
73e912f78ed69366a39b9d64652e04ef1beca03f4e2d10c1bd4ea001851b1c22cc83f090c5a8dcfa9bf76c2dad68fd857c3f4a7c6feb6973afb438d407f5d698

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
6e7d9c2cae05102508856e1d99a22d3e

SHA1
91292620121c5cf96bc5fef676474b2836ca81fa

SHA256
ea9107cecc224746aa0c9317e4263dc2500a70ad3da361bffeac677bcc156cf4

SHA512
6be0cd5b3aabbbb4b854da9260c2d143595347073072244a4affeefe77f7313e3ed83d9324ed9f47c23cf1406538d53ec4feeebfce79d799b42e2f05db183b32

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0f35e5d6565ae352dd5cb8c11d17ec94

SHA1
8d5690e20a0e9d849d0f95f660eea51bbcebbfc6

SHA256
fb3c06b426885b5df2490b19eb40d1c697fdb609fa124447972e88c6585d1503

SHA512
b5d8bdf79ed660abfeeb6de36cec758b5553017bf57d68759d447bed3ea8ce21806f4cbdf1e82a1d94a812d0349fc8d21639bb17e55f06407c75abf509f9ab33

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
862d5fd911d3477e7235fbd224aab3d2

SHA1
8114704590b63cae7cf579c17cb63b59b98a4228

SHA256
65403eee407c879bfbfb3e1a598681d1e19038b4924231d1f19b5814e00f95b8

SHA512
0324cffce67aac11b2189ec6fcedf55c317b04fdc3f0ea6a269c226e19afcd8ed82ce9121e25f1bd3a88eb0b3eb84522a694fbbafb61e78417245d8fcd3d7848

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
63c24fafa38c1b0109d7b33c1be0d22e

SHA1
9b3ae6d17378fa094069f9aef62df034089e3083

SHA256
5928caa89b1d2b710b06e2032deeeb129c5844abc95bb506a96a2181663fdb20

SHA512
1387ef7a3e1e729ec2d22463f44463c5645c772a8336127bbbc7532923abb04b62bbfadf10c12c2f6b50d1ffb567ae4059efe192f3fc0ffdd90ff0cafaacb6b0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a5df76eac9289b96260cbac6f40b4d33

SHA1
6bb844100ca265ec08ee049b22187ea6e4b9f6b1

SHA256
d0e8a6a0087ec0ae05f2949336ed1c515648aa10ba91d5e6d7e86c4b50a72e20

SHA512
17d83a2d8fe6007018d4c5b272a7674e1b05bcfac5c531d18db00d5cbb8cc87c911144538741fb7536f059ad2115f3514220c1db594902a3797e2d42a611492d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
4f1f658175dd621ea371a0a8471741d7

SHA1
6f02c44a8de0d1c4605783b37c7da113961ab2b2

SHA256
840ae0a331f13436c2f75806feecea04639011da1e86c855f41b96d0bbb164f3

SHA512
ab06ed41634cba4c3f9b6954d43d251cbe722030d0910fa13addb8ddefa4e967ed23f16f2e39464542547a4f4a7d4789d8852b30668bebe3bcd749015e9dfe84

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
a4320f583cd2652a44d79ba541b0b09a

SHA1
ce33ac4a55493ecb94e6ad6446ee621b167fe75e

SHA256
6323bbea223d47942c7286516d0ac79365bf0616c212228635ada08869be6000

SHA512
0103dadbedc5df16329c42ffdf6b2fe79c834207e6bfb1d003308093d606e58fd17c66af153554b397477def86b69fb475168f64daf42b42a70e702c1238feaa

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
7c1366e9bbe47e98a27a80169b4d792b

SHA1
26e93a08763c61ace8dd45b761c075a075e5ad89

SHA256
f5e77bfb68ebd93bf85df06cc5dca8ab1124a6258d105a802c1ceece3cc1393d

SHA512
def4904b0f4a22e69ba8de168a070c9dbefa39a2ee9879bacfe689989ac9fa324499a9a8bc6708d6ca0392f9c98df3b0e2e172f950b73ecff2c17fb56f29e71d

Download Submit
memory/208-288-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/768-65-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/768-67-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/768-52-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/768-46-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/924-296-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1656-465-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1656-291-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1796-277-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/1956-21-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/1956-719-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1956-12-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/1956-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2128-292-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/2148-56-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2148-62-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2148-264-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2148-437-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2160-726-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2160-75-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2160-263-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2160-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2168-91-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/2168-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2416-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2904-274-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3220-272-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/3220-0-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/3220-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3220-275-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3220-9-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/3628-728-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3628-305-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3772-298-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4048-273-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/4212-293-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4228-24-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4228-30-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4228-258-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/4256-299-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4308-301-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4472-261-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/4472-36-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4472-42-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4620-276-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/4828-297-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/4940-727-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/4940-302-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/5704-477-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5704-535-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5860-729-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5860-488-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5968-511-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5968-524-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6036-735-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6036-519-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download