6fadd7d674db9cba4f46f57d4a113113e75937d079daf620d8c7b2f16374c0d1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
Size

5.5MB
MD5

1ec62ca7546b68b546259fc138839af3
SHA1

958ff68e0b4840dc28b4baf8cdf5edc5dff110df
SHA256

6fadd7d674db9cba4f46f57d4a113113e75937d079daf620d8c7b2f16374c0d1
SHA512

2cf53833ad81ea7054f06ea5e149506bf49f4051dd8803d9f7b00f82e44510a30c8203037ea45d1afc2f4dcefa3a0227093c2034d875408778757678573acb5d
SSDEEP

49152:iEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfx:oAI5pAdVJn9tbnR1VgBVm67nOA2B

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEchrmstp.exechrmstp.exechrmstp.exechrmstp.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
392	alg.exe
636	elevation_service.exe
676	elevation_service.exe
1036	maintenanceservice.exe
4624	OSE.EXE
5288	chrmstp.exe
5364	chrmstp.exe
5456	chrmstp.exe
5524	chrmstp.exe
3228	DiagnosticsHub.StandardCollector.Service.exe
2212	fxssvc.exe
1040	msdtc.exe
2428	PerceptionSimulationService.exe
5760	perfhost.exe
2348	locator.exe
1572	SensorDataService.exe
5412	snmptrap.exe
5684	spectrum.exe
6056	ssh-agent.exe
4652	TieringEngineService.exe
5912	AgentService.exe
1864	vds.exe
3764	vssvc.exe
2680	wbengine.exe
5956	WmiApSrv.exe
5336	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exealg.exemsdtc.exe2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2e288fd8c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exemaintenanceservice.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

msdtc.exe2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064c0e8211caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064de03211caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064de03211caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610573980502708"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041a5e9201caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6181e211caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1696 chrome.exe
1696 chrome.exe
6400 chrome.exe
6400 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1696 chrome.exe
1696 chrome.exe
1696 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
1696	chrome.exe
1696	chrome.exe
6400	chrome.exe
6400	chrome.exe

pid	process
656
656

pid	process
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exechrome.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3524	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeDebugPrivilege	392	alg.exe
Token: SeDebugPrivilege	392	alg.exe
Token: SeDebugPrivilege	392	alg.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

1696 chrome.exe
1696 chrome.exe
1696 chrome.exe
5456 chrmstp.exe

pid	process
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
5456	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exechrome.exe

description	pid	process	target process
PID 3524 wrote to memory of 2784	3524	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
PID 3524 wrote to memory of 2784	3524	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
PID 3524 wrote to memory of 1696	3524	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe	chrome.exe
PID 3524 wrote to memory of 1696	3524	2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe	chrome.exe
PID 1696 wrote to memory of 2832	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 2832	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 464	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 2744	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 2744	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 3896	1696	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524

C:\Users\Admin\AppData\Local\Temp\2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_1ec62ca7546b68b546259fc138839af3_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0900ab58,0x7ffc0900ab68,0x7ffc0900ab78
3⤵
PID:2832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1876,i,3074216531720125573,1423694682896747758,131072 /prefetch:2
3⤵
PID:464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1876,i,3074216531720125573,1423694682896747758,131072 /prefetch:8
3⤵
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1876,i,3074216531720125573,1423694682896747758,131072 /prefetch:8
3⤵
PID:3896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1876,i,3074216531720125573,1423694682896747758,131072 /prefetch:1
3⤵
PID:2612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2128 --field-trial-handle=1876,i,3074216531720125573,1423694682896747758,131072 /prefetch:1
3⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4232 --field-trial-handle=1876,i,3074216531720125573,1423694682896747758,131072 /prefetch:1
3⤵
PID:1152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=1876,i,3074216531720125573,1423694682896747758,131072 /prefetch:8
3⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1876,i,3074216531720125573,1423694682896747758,131072 /prefetch:8
3⤵
PID:4440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1876,i,3074216531720125573,1423694682896747758,131072 /prefetch:8
3⤵
PID:3436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1876,i,3074216531720125573,1423694682896747758,131072 /prefetch:8
3⤵
PID:5136

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5288

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x274,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5364

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5456

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1876,i,3074216531720125573,1423694682896747758,131072 /prefetch:8
3⤵
PID:5728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1876,i,3074216531720125573,1423694682896747758,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6400

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:676

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1036

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3672,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8
1⤵
PID:3152

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4300

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2212

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1040

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5760

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1572

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5412

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5684

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:6056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:856

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4652

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:5912

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:3764

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5956

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:5336

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1084

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
Filesize
2.3MB

MD5
2edd994a82f3b488cbedefb72c17ce50

SHA1
bb6c751ac2c07a99f1258102bbde80b0ae51a6f9

SHA256
be348047b79d984d7c9312e967d56ef8a207778277e01cdf4330b2967a52d6aa

SHA512
2f449c62908c9fcdb8f6de29c2d90b28088ec88c2b0135c4ea41bb7d131b938d00ea916300f8ef87da2c191bab5ecbd13844a67ee350dc55a63836a58676be3c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
ec79f31262d21c4c5cc0b7178d025055

SHA1
4bf46b39bdbcc2c1d97b41c4c7453908cc9ed9e9

SHA256
957de5e9b91cecf6422c01896572fdb7b7fd5a076d9acec7ef3b8340aed8bb1c

SHA512
5a6e3d20e972615d5fd9c94d6df1a41f090d3f80655b27b84b3e4949de2f4c10975b9c50fde6bc39196e07882cf34a67527b0ea937aecf27148c35bfc2a5dea4

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
ca9e5de576c5d52978dfcb841f2d385b

SHA1
db3c7e762428868c6cfc5972051273242e7472c5

SHA256
66e00c0987e4b93ee5701b910f90e480005c358aebbe6eabdb0c5d983196d8c0

SHA512
40843abce0c5e01db2a257176421761a2ca50b124cefc92b95663acd351a42dc3fa25db14a179d0e7306eb9a2df9e6fcff26eced6230f098b0aff9e994512dda

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
ca299cf4b6a6fe203db97d1423b54f36

SHA1
7180ca5091ec778043ccbe18c809591a50b53783

SHA256
ba43bb5d1e28334b8a10db7ba9e852cfdfe937a91f22d341e9647f3f914f601b

SHA512
d3ffe68b1111b221afcf68c0654a779d3361ce4f8a16630514101d3def754b3ccc692600a1a1a5a5093b68e05c6e25c2b5ead8181900f55477af566601d6be0e

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
1707112b4c4e26015a66458b7aadbc7b

SHA1
f4fd77d5add2df7066abf3c9087760809aec7287

SHA256
11dd82cdbd3ff95b773ebad7dd0630674cc6e961c8ab8ca2680663e803942408

SHA512
4c0aa0eb593a3b8cd0aeb559229b55ac8d8e062ef785a9bdd438c5e079d67e607c842ad1f2e945dc26658c73951f00d2ab8307f447f0145b126506bc6e6e166e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
2421f801c1901c076399be300a111766

SHA1
a318337f10da06bfb08a7ba478eeaa03313ad87f

SHA256
0f5bf43c0445e4a0434fddf933ce8f79e926c0f540b1c5d295ea1996570be5ef

SHA512
7f6a663c17c9dfb500574c2a7895f15252f812a3a3aecc16a99df76b54fa9320365d35f64406f3c42ddf11db6ba8457c72ea405abce42e4b49660b90ff157f8b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
5511b4882103c499c25d31d8168888eb

SHA1
ad10571158ffdfe4b8c1259f42ad2a1f0253c69a

SHA256
305e7fd9c6d23bfc455b07a41ecb97f875185d13ffce08ceb56574cc9db78c2a

SHA512
5291e241c9f21d08a19fc0222b5f45523c78649a8cbdfd42a0de4b8065b68e605e5e5e497b185d0b1f7fc14d116d3e9e499926a69bfab93c526bdef8ed21488f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
83dcbe403580d84ff8f41d4896d2ea14

SHA1
cd9c8455375319cc39da2aa47850d68562b8e851

SHA256
db7e878bb666849352ef2815108d4a299ee1b17e3aba13fbdb4811aad8a16417

SHA512
067ac6d553f1ed9f3c46b73b27ff489d70e3fcddc160c761c94d62532b81097ff93b5c5f226633d013b08af6d8fe0e87a0ff6db1c1b8ed544aebfb16479e0329

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
e0a606465fba6b512d1657821bd780fc

SHA1
0add5ecbcde037eb4da82feecf1bb0455cec7397

SHA256
f12a72517ecde1658efa6fd435f74e3f49f4eb69a01b511742c07496e51ddd6c

SHA512
902ff1020ae47469775ec300280597b33c5427cf1cb45b16a28714229b0c7d49748203d1d19ae16dc29f6616f5b788f39de97b33883a51c8f295380e999b8820

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
7c39eba2d49dde92720b4706907f0787

SHA1
7c4271aba00605c49ae2971d746088b9d2c1fe4a

SHA256
1a3e0b25b6389bdef91e20361c50bb8502b31aa95aae2066d21dfa217326a3a5

SHA512
a412df851487931c7e3c2a2980ff23aa5314dc3b2fa9a5aa49ca8ef4316ef77c3264ba1150c408eabafc2d1fe363da70a26537628482936ba2482ff5ebd402de

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
b5174777bf2fd149c3b4f68936e89db6

SHA1
e77a87e7753af3c29956ccd5bc06706bf002e3d4

SHA256
b76ffa8e16a822c805130d57a517176251b6d0f865033c44f8c63e7b4b163f8a

SHA512
1e8167a005e0015856c890df56597eae4d3795390ce0fc7037a1a433bc1ec3f6e4c620ea214b4f3ff797c27cd3fa0409a0b92295c939c960c87da21cd580c3f1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
2b51ed2997d0ced2dc025939e97e41fe

SHA1
937901c48e534ede80228094e5fc587da346a049

SHA256
ca73a207d0a2f948f30841583f2415ff078f33d3324922ba488ed08c9a126122

SHA512
81ad789ee7cd9e479dd09b322c9163736fea552026b90ac53938f7bd8b3af53e4b708fb77d5f218f22ee352349e152d09937207c1634ea505eeafd3659b9c04c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
2f02d537482fd33be01ba5863e05aa30

SHA1
27ed71c3f6d6780716e71ec3012d10c7d1636ce1

SHA256
4990eaa8bcbd8dc64f840927c26b25f2dc16116464f6868b24b3d68b1c454167

SHA512
d944ee19d5e0f7d2f770a75142534e6fcce8b1fef2cda5b33406def53dc128ac62a1e1a5f67f15fe9f6c93a8deced3e33c1ffb8c3fa85e43b53f5b2e32320ec8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
39cdeae15e1badd3f187f5afe1cc0fdd

SHA1
f1f3651135732e66adb7757d4bc9034e2b673ee8

SHA256
c52b8058ff2783ee062134582dea7cd75b02b75ac9620c891ce300f8b47f8bc8

SHA512
4f1023f1bfabdefd5fa70df7d08b82283f79e8908942fea0703f48b1dc6ee0356932fa686393e482e211a66ebceab24112e4ca56bf7fe7b0b450ac5a75ad887f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
fb12a5aec2ee6a3552855abfec31dc79

SHA1
8c36410027aa99137380dd345d3af2d2e36c3dde

SHA256
6365f0d5037ab20deeb3decddb070555e1466de79065f4b8b3d810ada0452406

SHA512
66bc00955eea6fd27fe64d3919b66224be1003d6b2a9624af7ceb73bf00d433614331eed328a696de60d7efad743e3b06e673b609c3a2c8e427f9eed344b2171

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
52ede79e6c4eeeed964f39af336ac404

SHA1
d96977b5a16b7637e877694ba206a9447b276dc2

SHA256
adae39ed2fb1a99544e330ec1211ed177e8e02f33a51de605251ad61c4843239

SHA512
6590208d389f0ef538ca7c98822d22b1aeec09ad27eabeda06d3e777e3b7730d4340be08aab8d484640684e5d6d32fa49872ed02e5b09b274e1dea0a2e584117

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
32817b53f2d5066fe77c9d297f7ef658

SHA1
042d7c9f757ce4722b7e78a99113912eaa4875fa

SHA256
b622535b3130f76bf750a07f0a4ffe043ce2d9295841bc4f9e1c668f8081e6c7

SHA512
263b120fbd9f2c3ca7b139962eec6f7c7a2abc46840134f73fcaeb8806325d509cdad55dbd31c81f53b5a3e95c218a58851abf59aba068e70d6f201c9d3ad451

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
55efcd63998d240d4c03dc9beaeb08b8

SHA1
e4b01ed3d9e61d5d2bd81fe9963257fbb666ba3b

SHA256
18b39ecab6e044f8acda4e95eaaff4d7723a91c19d8fd7194fef8f42de476907

SHA512
d56d36978a075dace8faae595fa1bc76798aff9c17cfc74a04cc34d7d11f91f4b64790bb901927d3c698d6d8411667d1ff1ec3fc2f87e535d8c2720129031278

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
4020c706b6eb6d7cd6d02d65db93b541

SHA1
19e7d445899fdfa1787a6ccddf4c2e9c1196f941

SHA256
ba717918b66d734592b3bc9c70afc0e386c1c5916ce8cf7d6ddd54cd62a24817

SHA512
0eee4729a917774c6ea8969a9f9f58bab8dc4eb140700690f22c9a69653d77cfc3e51a4e4fc2c26581c4761476abeedff6bab5f1fe2fdeaf567c32c06d7f317b

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\1c2e8d0a-0b16-460d-9ce3-3dc504eaa982.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
adffb33f0c1db2029ba90195ff89f6c5

SHA1
58f7a5ed3b2e26dcbc23b3ae1de5706edc8dbc6c

SHA256
dce917328c4c7b7ec65b3b537b7c62e6fb847f09a9013647d7ae946889841af6

SHA512
08a2ead09109d5d8003f245eba3b75b3ac6fe60c6c50917bf2d0edb183f4839d7ebe48cf22fa4d8fa7ba83c7e1b5f4efa81d106480104213b2190989ad2faa4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
4fa632b692914c91ffc303fbba182a82

SHA1
f2c410c7992db788e97e7624f48a5c0118080901

SHA256
0d24b871a41748b1e32ad0e95e2c7dedc84bdf4a645885aa61127a2fe1b971fe

SHA512
db32559b6774478b024c2660bf78f5dcf281422df0db018773d7a8fee2546648e421467086cf9eae04d51f3b6d06d717df9014ccf0e0b37e25842fbabdb9346a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
4905fcb12997d02666bf4f8bfea50932

SHA1
d49a929fe4e2c54ab150888b42eed16e114e0fbe

SHA256
56f4270de25260cfe494d973df5c213377d2de9bfb796a3ca6c9b718034a6588

SHA512
286f1b21dc8140751db883a78e8a82a22f5c28738232b2a2e5fad55b2eae7b11c3d8bb287270c8cbc56b7baa49a61d71188c3f08c12f516291d5ef1231c175bf

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
1726aca6e331e8f6d7383e9945d5a8b1

SHA1
2c42af8e1f953f92ea27dac2d4d33e43db74c29f

SHA256
d4f56c937af838408d9a83dfb2c983a81671b5cfd05d3343d34789c86304348f

SHA512
9e5dd8d93d9b7be814272b4f104dee1c4b2234d57fabfe72038d03bd12ec31ab4ab66c2cbcf94b720a98e12261a66216bd302c9fc36de0b64122f19b3391913c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
e646991f9b7863013f4543e5deea2d49

SHA1
7d3ab1c249b15c5bc5761baef819fa96b043539a

SHA256
0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07

SHA512
8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
d7dccd6f9092f034f691f7cfdeb933c4

SHA1
754244b7a23b8bf5925f7f38f23588707e66c755

SHA256
c0fef16ebfba5f276a9bd206ea6afd0cc3aae97b7ce0810cde0f906acf444230

SHA512
19908ddfa154a3c134116fd4f52ad29738572bf9a2204a75ca9ae58d549d65072eba938597fd231eb979b296778b3d32ed97e7886aa9a6835a68b3f3c4533615

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
39ca4d53e5383c478e28be85adcc6c62

SHA1
c61ea7a06abef573ff7aea3828b5ece2ad28b94f

SHA256
aa0e87e0ab5469e52f8468f643b0e5357287e53ff511fa7b179fb905e3d3bb06

SHA512
7a29ee1d41e6050c3e7266ef4f2d2d1f73f72a0868731a205e056c213f2287c232c7b5fea070420c64b91f6b561a0c9c9cdf423ab0286bb7190e6c8ee15d47a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
0c1c4edb7daf2852b840dfb8fb7d7015

SHA1
3e74422df2c2457f9d84680ae59f104e929fe03d

SHA256
bba14249583e44c3ce5730ae3b782ce25d6f0b4e614b56dd4437377f4ad5d483

SHA512
1b7dbb64687323f2572d710f5c62e7775762528423c5afff50dc942b839d4606c249b17fcf29558f4b8803b2239b07e2ca57ac018877fc89402ef57670691558

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe581c3d.TMP
Filesize
2KB

MD5
c4d12c24a85b7e1aaf85cad983fe7610

SHA1
00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb

SHA256
6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337

SHA512
0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
126a4e9a3e04c1504b8a1fed4cbf45a7

SHA1
f632cbb1a11edbaae4aa83a0a434f01f87e005f9

SHA256
22148714ac40206f22bb4f566edc966ceae0cbe1b1c731302cafd666a22cce38

SHA512
c4e43c928a4bab42ed7894bbc9054860a2a045482a792e4377079cfde108d2cfc121ec2cc223dcdab039e59a97d823b900ee27595ea47c715048e7688383cc09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
616d4607b24fba05021599c8e01ef54d

SHA1
5174b49d2c33822fc7d87a8070c4fad552ea3319

SHA256
b5fa6d1bad2ef76100443843ad2800236febf9f11a277de92abcca0f2232bf51

SHA512
5a82a3042d4ca5aa1fd01f384b8eb3414afec11d822165a0ab93e31a7684a6a88b07a8c22a1ca1d429a3e94556ee9ed660818081e68c989162f4eb97846b2943

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
de94c1b65ef03d3719640041211ec49f

SHA1
f44b54fe2785aa3c42673ae164373f3dea01aead

SHA256
4bae0dcfe08a04b0b06871170da908d3893a616a11f08e0e17ffbbad78b889ba

SHA512
fca76e3c1c1d927f79398ddb8cba7e4c41ce4f14d56675b3e7e3b1588dd6f5619fc2c8313a08832bc239547ca8e7b762ed38919133472eff5e497604de7d07f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
88b32b093ba1aaaca72a2c5161d7e273

SHA1
c5c8c509e5be50c1b107bc144a97e46a449cd26f

SHA256
a7bd768a417bf0938ba2f22871fbd64566d9d6b8a0e2c7d9d739693e5061bdad

SHA512
b49b1653354b642c21414b815947675daa283a8a3ce7661357379967420ae522affa518c00596498c8ff224d42c3a306dea746da88b4a1bddc150287ec6b8320

Download Submit
C:\Users\Admin\AppData\Roaming\2e288fd8c3a5208d.bin
Filesize
12KB

MD5
f11a47456d8036dd1d5fc140b567f861

SHA1
02c941e6d9b3d46601e5a97b157cdd498c6d85fe

SHA256
bd1ca370dfed779bcb9162171baf2af3f39e92e2ef0cf59d30fb8711ff8a0e93

SHA512
32b56562b907e9cf800169f92ddf2ad0756c291c3a8cf64942c65ffe3c6d8a13f5dbd63a71f38bd0c2d72b359c23b2c7c3d2a810fa3c2f0c32567b9e33e399b0

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
8d9647c6142a39ef706302af190c4775

SHA1
e43dc51e8ba1a10c412d8c09b6e927745b6aa5ae

SHA256
ca7d65faa8b70a22efc56189ed7d84ee00c43c74a6509dea058225a5f73bf3d8

SHA512
6423ce12ff42fd1323b19ee5533377bba3974c1ca04f951c1f4a341a5c0563fd0eca276966ef35d63ae2b444aa192f179d76c41e1ec68a053ad02d067cbce584

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
ded1fcc61c708e66cafe17c6816f3f75

SHA1
7cb3c7874957d4df9f72045e9eb8bf274b1c4908

SHA256
353f0bb323f8324799427a0a953e50f2ce6a42f19f7634d1b5aa5f42b73d5922

SHA512
9d2e973acf2b26fcfa725b22be43e2fabb103d7870f1846c143a9e58cba1812a0ff542d65e5ef4507551d262cd36d1fb903c4b683c7275a69737d057715f8d35

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
e791ada4e3044d10cf7233f066c1dfd2

SHA1
e78e1215c1434e3f8e7329bd071b9688782e38cc

SHA256
6d9a90f66c6ae0528742ae41d1db89c1190806a7d816b9ff18583fe6817c9e7c

SHA512
4429a938c5199b713e06e6e0cd95c8d1f9e34364791581493116c3098bd5272f6373bbf3c9cd557436dc4a452c07b550570537e2e3c50c78061aa5db28d34199

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
cfeaaa58fb0f10a82f9e76db0de85191

SHA1
f6d5e70be57b450cbace573f22dd4ff96ec1d760

SHA256
df8c1f5cfaa289e07447fd2eb8611f7831e089423a9acca9b20584189363532a

SHA512
f9f0f5283d54b7da17c8d83ce1bd39a128350e4e005950d40ad09bf370a775815142f26be456dd3365eff9fe806cc9f22299f6886fb09dff89aa50727a4c89ca

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
afef9b6000e3f03a46d5d2fd69cb67d7

SHA1
d864c72432a72cebbd9453d45576a84b1c826086

SHA256
1104d3b7af91b08fdcba0a3315e537d8c5ff7004837644a7d3d4e991e0aabe86

SHA512
6de950e67adf33f08cf18181e4b7f860edc62473fa8bd908baeea58db3858d6dc1f0ef248b369e75bd9c7de84b87369b3cc996817947134cb187794573acd185

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
63a0d00b998f2d3de23c55705b7967ed

SHA1
bd7d77c1e99eb2855bbe770692c5a59a703ce1e2

SHA256
6b3dbf1f5884338499473d36a29960321da37e92381c857cef3610110c00e92b

SHA512
d35ea228a543477d1217b0052b7a4b802cca4178908038e8f2319a569ef1c8eb308635c4043edc58b981450e868d6e39b20053f9b4bc43d622c147db2f9ecc36

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
fea8cc3d25957bb1071f726844050d22

SHA1
b68ea7a5649d66ef9ef48c89a91c0a03ba496b4b

SHA256
12c9c5c939b028d357a8db81fc02db2916b7f7d022cdf010937ddf221674a60c

SHA512
35717aa12caef6ae8b41c7e366bf8e784e6a5f2f23ad895a56543f8bdfa747d1ccfd78df5b4f3072d50b47bcf8a2cff3bed23cd3b8fd60f1cde5daf33524e5c5

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
efbaabcccf3b416130e07d60bd1a4042

SHA1
3f99a8b0d269d96d5f041c4f3c6e62c8f55ba741

SHA256
4e00259ee451d018d1dc87b8d565c6deb1b9130b725b1581a50823121998ef75

SHA512
e5b9f32e022d714c7c2ac1abc653cc9568cef0e7652ccd20c36800cfbb075a4ae5d546c46e4cee02d16261f9904ce70c9b7f02276709740e1279bad6f99e2090

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
3c5d12e8210ce0563b4066039dacfe18

SHA1
6c5ba2eefcebfef71bf22ea25050ba462e9cb6c0

SHA256
a7a633120ed0306f1bc53be5cddb748eabbab988fb20e7a6afc60a2af6176f33

SHA512
17ad9ca34edd158eb0295f6af1671503dd0e693cf6531300d15785c168cd67e889cc775f769f776fd7117c60bac7bdda8fb46406a84706ef8e6a6c26faff670f

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
0f8ac1d85d89c8cadeecebfb3a43a711

SHA1
097b9e4f4a639111632080d94bb2727201e2557f

SHA256
9bfaa008a99ee3a18efbf3047defa3c8fae043a8ace789c72400841ce19c8deb

SHA512
6c19d059b00f3bd47fbe80362065f1fc356adb4b55ca59ef665a2621a76c3766776c498ddabff2f07d2c9945eeccd33d0816029cfb21f8e4c72eec9fbc70ab41

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
a188a17709743c814d376c490e7e6620

SHA1
65e3a5467ad60be66a1e999db33f8e09a0833efd

SHA256
f170c3b69f3aae5748fb9acb5dcf8846a8a92fae3912d6785ffa9085136d5c21

SHA512
8d672bf6a6cc3fa97700d2df96a600c1bd27e4e3777e927e1053936b63a109e68bd97c4be7ffa3deffda30b3342c3bb1e271496feacd56dbe1d79a92affcda99

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
fbdde6ce7d4798f4cc65a7356a2e0979

SHA1
e9ab1b6360c3e1155dcb5208539aedb2b9e2ebea

SHA256
1ae599ed5b2e8aea589d61965e447e2c0b53b574d88313aae2867c096712b945

SHA512
813485092a315950725104d3563339ef8378c82b54b6fc997d1149d3d421adcac2cdcb655a82204b4f12d2d9a499ee632d49568eccaff0fcba27c84dab0b6dd7

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
c687afecd0c5f701223169a6a6ce3d18

SHA1
26dc5892d122c6ef82a356622511a3c9c7689118

SHA256
3abf045d745f48f755fb5184a47c8085c8e8202e08c6065e9c22bf769d1263b9

SHA512
fbe510b3fc96ddc7f56003a9c402f01457a2e4c0213d2567ea5b96c41dd5ce5ebb20ec9571b05962dba8414d56da047569ea08d6ebe8d470c4193e8fe58825cd

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
764222f76240d2a0760a70b3e51fb2ef

SHA1
dbb4157055e1fdb4ae2f13cfc22d5eeb44fb0191

SHA256
106b57df5d368a620ecb8dd0c20c879f8801bcbf8e35a52fb5f13e5b1ad8bb96

SHA512
90e55be963dcff6b5b7eae2c64cc321a33b07aa0b978a21cabd01ad06f869aba3769ed030e514b8407e60d74eb19ae1553cc480c12f9f195da72dccbd1028e82

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
211249391645ce24d1151f8fc3dfa2ec

SHA1
27df2f3cd79a6f45d7fb4c1e0e7bf84f364a6043

SHA256
3455092a4a508946ae8c8fefe3a676e1ca20c1dead835b6f890aea43d78eac6f

SHA512
8f0966b9d7c99cc72e0f9ffff0219f7cf61a3174b2fda5f6b3f89bf69a74af8a9c3c1ae463c6826a9b00f3be04e1b9442399813d88af0d3cddef98f8fc658782

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
917e22241985229232c9229decb720a7

SHA1
4cbfe38041d938def8748383a4157298e8203f30

SHA256
89eb60ca0aa5605cfd0a1d6bfd857734438fd625959c31cba1a6f063b2a762ef

SHA512
04e8dce706c110c6ad796eaef0ece32c7acdde69dc89e3684070ed0d457c733623d606290561a9da15b62e218f90af6cf9321b11b64f3827fdbce0fc959c014c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
cf95e338a519e7d9b79aea37d05019d1

SHA1
e3a2ff1109c1e2fa1f85b83b9739981a37087e58

SHA256
f8387811140afb4efd631ac5df865f4b8a7d80f4b22ab985e780a8ac52de48f9

SHA512
84124f9f270337fd44ed34c86c2470116d9d7b56ec694f03095f9208bd7675d00217bba03b1a1a98cf7e68c8f3f1986dadd4fefa7da5ec5cc6e37681fce0f7fc

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
2224412d673f881e455cba5c9e82fa92

SHA1
b88fd43eb2298917b86d9e52db0bb3ca1b643d08

SHA256
e3d5eacbc5051c579aaae4ec94822d3e98ba5f7d3e8996645755209d82d25d81

SHA512
036d62703bb4b0b1c0dc26e9c9e9e72e249110756e2b7ffe840e8f406bf87a9d0ca88e2f678417706e9a7f6f27a1ee0602ed58333f9b2a9336ed0da10b433c8d

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
de12892063f81f60b11c0497ec332fa7

SHA1
ccfa0530f55d277c3fe6d75260088ae08d5b7616

SHA256
afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae

SHA512
441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca

Download Submit
\??\pipe\crashpad_1696_NZZIENMIHFHWRHPP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/392-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/392-20-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/392-19-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/392-27-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/392-369-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/636-50-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/636-63-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/636-224-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/636-226-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/636-44-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/676-64-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/676-54-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/676-60-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/676-394-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1036-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1036-80-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1036-74-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1036-78-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1036-72-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1040-457-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1040-576-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1572-625-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1572-504-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1572-823-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1864-577-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1864-826-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2212-442-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2212-455-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2348-493-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2348-612-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2428-477-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2428-588-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2680-828-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2680-601-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2784-18-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2784-31-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/2784-21-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/2784-368-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3228-439-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3228-550-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3524-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3524-0-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/3524-34-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/3524-6-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/3524-37-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3764-589-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3764-827-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4624-81-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4624-87-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4624-139-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4652-559-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4652-825-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/5288-363-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5288-294-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/5288-302-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5336-634-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5336-830-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5364-401-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5364-306-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5412-723-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/5412-524-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/5456-352-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5456-328-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5524-330-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5524-402-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5684-820-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5684-527-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5760-600-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/5760-483-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/5912-574-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5912-562-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5956-613-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/5956-829-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/6056-824-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/6056-539-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download