ec17a57ab7ad8a3fd0e51b8c7d9a4d88a412e2cae5d0206f1eee7de268270832

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
Size

5.5MB
MD5

00a6138b42246632a5b0c15e8402dfeb
SHA1

01eef133e4aca58013093a83ca4d4c963e52ce98
SHA256

ec17a57ab7ad8a3fd0e51b8c7d9a4d88a412e2cae5d0206f1eee7de268270832
SHA512

9c0112670282b72c5f7425131de2c30230455c21f608488f2a0596fa372538a5c79252f17c900b2d2e7641f0d9820a4ed5980a52cba3df5f46efb950c289c4f0
SSDEEP

49152:YEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfj:2AI5pAdVJn9tbnR1VgBVmkeD5s0JXP

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4824	alg.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
1148	fxssvc.exe
4160	elevation_service.exe
2832	elevation_service.exe
2328	maintenanceservice.exe
4480	msdtc.exe
4444	OSE.EXE
4140	PerceptionSimulationService.exe
3996	perfhost.exe
5084	locator.exe
2588	SensorDataService.exe
4664	snmptrap.exe
2988	spectrum.exe
3260	ssh-agent.exe
2928	TieringEngineService.exe
2456	AgentService.exe
3284	vds.exe
4576	vssvc.exe
3728	wbengine.exe
1056	WmiApSrv.exe
3192	SearchIndexer.exe
800	chrmstp.exe
5736	chrmstp.exe
5844	chrmstp.exe
5932	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\827796ebb4b1389a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ef34876e7b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006602b976e7b1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065a53a76e7b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2407676e7b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cccc4176e7b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133614746566443577"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061cb6076e7b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b64bb76e7b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2852	chrome.exe
2852	chrome.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
1720	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
2224	chrome.exe
2224	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4084	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
Token: SeAuditPrivilege	1148	fxssvc.exe
Token: SeRestorePrivilege	2928	TieringEngineService.exe
Token: SeManageVolumePrivilege	2928	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2456	AgentService.exe
Token: SeBackupPrivilege	4576	vssvc.exe
Token: SeRestorePrivilege	4576	vssvc.exe
Token: SeAuditPrivilege	4576	vssvc.exe
Token: SeBackupPrivilege	3728	wbengine.exe
Token: SeRestorePrivilege	3728	wbengine.exe
Token: SeSecurityPrivilege	3728	wbengine.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: 33	3192	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3192	SearchIndexer.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
5844	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 1720	4084	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe	83
PID 4084 wrote to memory of 1720	4084	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe	83
PID 4084 wrote to memory of 2852	4084	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe	84
PID 4084 wrote to memory of 2852	4084	2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe	84
PID 2852 wrote to memory of 2024	2852	chrome.exe	85
PID 2852 wrote to memory of 2024	2852	chrome.exe	85
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 548	2852	chrome.exe	107
PID 2852 wrote to memory of 2540	2852	chrome.exe	108
PID 2852 wrote to memory of 2540	2852	chrome.exe	108
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110
PID 2852 wrote to memory of 1704	2852	chrome.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Users\Admin\AppData\Local\Temp\2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-29_00a6138b42246632a5b0c15e8402dfeb_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x29c,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bdccab58,0x7ff9bdccab68,0x7ff9bdccab78
    3⤵
    PID:2024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1908,i,5469647369649311695,1107151124996277339,131072 /prefetch:2
    3⤵
    PID:548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1908,i,5469647369649311695,1107151124996277339,131072 /prefetch:8
    3⤵
    PID:2540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1908,i,5469647369649311695,1107151124996277339,131072 /prefetch:8
    3⤵
    PID:1704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1908,i,5469647369649311695,1107151124996277339,131072 /prefetch:1
    3⤵
    PID:3960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1908,i,5469647369649311695,1107151124996277339,131072 /prefetch:1
    3⤵
    PID:3520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4224 --field-trial-handle=1908,i,5469647369649311695,1107151124996277339,131072 /prefetch:1
    3⤵
    PID:3704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4448 --field-trial-handle=1908,i,5469647369649311695,1107151124996277339,131072 /prefetch:8
    3⤵
    PID:4848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1908,i,5469647369649311695,1107151124996277339,131072 /prefetch:8
    3⤵
    PID:764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4728 --field-trial-handle=1908,i,5469647369649311695,1107151124996277339,131072 /prefetch:8
    3⤵
    PID:3712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4864 --field-trial-handle=1908,i,5469647369649311695,1107151124996277339,131072 /prefetch:8
    3⤵
    PID:2304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5084 --field-trial-handle=1908,i,5469647369649311695,1107151124996277339,131072 /prefetch:8
    3⤵
    PID:6136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1908,i,5469647369649311695,1107151124996277339,131072 /prefetch:8
    3⤵
    PID:1208
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:800
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5736
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5844
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4192 --field-trial-handle=1908,i,5469647369649311695,1107151124996277339,131072 /prefetch:8
    3⤵
    PID:5896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2676 --field-trial-handle=1908,i,5469647369649311695,1107151124996277339,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2224

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2156

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2832

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2328

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4480

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4140

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3996

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5084

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2588

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4664

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2988

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1608

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3192
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5140
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2ff1b293eaad5490051d665604404006

SHA1
e6e1d2d0ce5651705bac8e13a695ecc71b71d368

SHA256
ec24cee2208b76cde4f345836a1d30eb7a71dfa53886fbd96a8ce96adccbf3f4

SHA512
f45f663a341434005ec2650171f287a40a7be6e116e2946e8fd226b8163787cb33010e44064842e2a4074abc6e810aed0d3d0cec6a7a6085fb6b2db7b512f95b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
12ee89702162c4a762d1c100ec4ffe9d

SHA1
982287a4f1566ee51ace5e38814174f21ce55aba

SHA256
15e5a75622e3e01faff50c5e00a60b2d2fde068760d7877486f3d52d6b488cf1

SHA512
17dffb35ec03790f962ea9d306b3fe9489fa80a216f768241085fa86d3a2e4957f652c8c5ec6d69086bdddcc28b86c9a4bbe067d967fd1e48778300a8fe6fcc8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
72e962c33f9264486d60e8b06094972e

SHA1
ed056abe0882b66faf32c35b0a9b13d9c98e191c

SHA256
9708335d7260e3f9f70c4834ffa9408a3265b17a897c0f1f62bf2e3d5e633810

SHA512
b137e6c3779482f1da363fc4aa5c7b89a8ca2d2ddf7853849617a10b49050ad4e0f0b45e6b216741d517ebdfcab959496d9df723f64ab253a5be5f2754e1655f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f4937429844b8332e9d35deef53f5ac5

SHA1
6607264bd5ff6a8069f43e33108e8f49590dbc38

SHA256
57bd76eeb76c353a5c9fea9ed7a89527a755996f1637e0b1af28696396e93c18

SHA512
1ab581a8fad234215e73bb2e24b4199181e8b82ed59801c72daa7367bc598640e55a93cbc73102b8b9da4fa5d32afb89d160784f3a78539ad0d93a37d3e43937

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6fbda07f9e2cb8f66d6873f0ad6e77f6

SHA1
5824ba48cb3c5496b9436164ffd6b1d7bb7b1f17

SHA256
e59f01700d616d15eceb22cebe668669f17a9e529e5db8d3d49963a7de1fae88

SHA512
2cdaad750077fe6bb50610dff2da6f315cede814092a8b5f12814686338ff5e7317f0fafd59671288bd36834774da2ee0c4f077b1ba3e99bf3c4a87bf955501a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
9cab1323d76765d1387105e8561f8859

SHA1
2d1c1e21cc879158474c74161ee8d43f95858288

SHA256
3d4c8b8a3a52953a1dba2f26aab8f7dfb4910e4a036999682144b804f0e7e9e9

SHA512
60d456178f07e40ac680b2e38db4be3861e2004f4ffe189f883a94a6a0cba0c7164bd78e8dd7abec224703747e1c570fa66a357810a85f1562c1729b822538eb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
8fbfd22939578ef4454419ece7cbfd5f

SHA1
fa89ff021c0cfcb47cf781ee87ef3cb2f8daab3d

SHA256
fa888145138b8467debd33ac8fa1ad8d2c971a9480d73746005b85b34a695a8c

SHA512
0a372d74b2a44b9754896078f680d7b4d96bbc3727d61471d0daf11d51913096f8a1c9d6f88c98ffffce82e1534757276de760df0e6e3add30cddb41885bc1d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
76ba6209732679b2cc3abee3ca1262e8

SHA1
ca0350b3a148ec0731bdd0c9efc9ac97e0b9f74c

SHA256
8ca85c5767748eefd1733e588ff29e58c50eca3ceb2824b72ebbac5a29900210

SHA512
0395aea70f7a5516d78916ff87508185d2546b2a822442b00691859102b7a2c7ab6b864bcda9a670f44f99c6680103302e3f166999d2830481df21314d6f2e59

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
0ca57c2c9f29e150bb4e51d75176fdea

SHA1
87b5df1c13311e99b6db3fef9ce2f075ecd9f3dd

SHA256
dc7a966b051d297b157b623ab243d040a2967e613766d1fb95a100f0754bfd8a

SHA512
b58480ab5409c8d6a25f0d7623d4d08e06b764e497d59762b1d6764866e90a717047ab7e33931fb019e3e0ea72cbbd3c1253e45fcf8f47863c62398128de0f9a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
309f63ee8432634d44b00a76fcd8cdfa

SHA1
25fbe128723a0ad9f33a4d7307cd7ff46723c860

SHA256
126c21b169a90ed09e56ca10e0e5501a8ee28b02e356b72d8271ef3ff93e6a9d

SHA512
65ae567c8ee415303bcd9d8ced6880f9ab2b198ab9c599ec2b43d3c84e540014fe3eec374e143c1078b75eb27e77f95130aa881e6d45df7117ea190f95e50e58

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4e56f0f4b0b1fbec64a17213e45595b2

SHA1
45cde8b55bc9a4194264c606d264ebf9bf075720

SHA256
e584705a313aaa79cec9f888dba3ec5b320c6b3f28e2b20338ab4a415e61feca

SHA512
628efe94c13efa42b7547521da4382ad3d307ba614329a89c31e7610762ef2b07c0b9ed765972a7f8b9d3fbe8f5f0e9a7b18b981e720123800c7b157c34cfb3f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7fc6c32b766fe3abc136daa0a7c4be2d

SHA1
584e0182551f48583287df2f6b813b65fec8c520

SHA256
800298ea884ae68c48eb5c4ddda0b48cba1d4d2bf446ed7afd4ae95eab4c03e7

SHA512
76c381564fecc4c7cf4a7ea7637c406c64c1cff4b2830d6a2686b526dcb47a798e6e42c6da0df2681dd34c93c10610b0576779d52b3dfb9af80f49f6aaf133b0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
0e8c641e59c1bf8606099199b6ed3040

SHA1
498d4dcc0a51880d2337cd58620f2423b90e9f86

SHA256
f4c754bb1fac79218717d0114e676713d39a482cdb36fb5e3572766af722d620

SHA512
02c75ab34ff1996c09501cfbe45f5c476c4cae89a8e844c0e3259f05c19e9aa1b597894cdf440b4bc89a2b8c263354675c037f3af6fa872eec91de90f936cdd4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
24dd31860e533673747f5603b1abcfd7

SHA1
07b8b8022cfae85e9b96f060384d1d016ad2acfa

SHA256
92b03caf6ffb771dc36517463655d6b24f37023eaf6ad5a75ea0dbc865837045

SHA512
5441f653e1d988db7ca642b38173c24243732b805d9aee05f3d098c424861dfcb53f6c13a7dab23e8f4f4cb1497e13130be408d4e25a86ceb36058f41f23ebf4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
bfa226e73af3e4601fbd36b0495cdea9

SHA1
4d920284665bf7df6f18facb5e7f27cfdefd7d3c

SHA256
c2da89b9925dc2c92e3abfacedda07c7a0ac00a2ee7043ac4dfcf3c67718576d

SHA512
89ff8f077d574844dc25b9a576cf7f8fb989780e1409bab12e127833b163e47ab8f4f7b651f23fb9eb00fffa0ce2249f5b1dcc2077caa95e6092e39c37785697

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\b4284b83-3974-4101-bac1-8f5f732c532c.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
87b68a6c3a0f6ef33130b1b51f8bafbd

SHA1
13b7e3232a7ffc02c105b577f89eeca2ed1d9428

SHA256
777b2ffde0387f52279fbf84fb1e9b54116a47ab0099391492de06f19b2ad9ee

SHA512
c374c2a9a4778b7ab67e58da9061533325934b617eb6ea6d652b74ebbb6882f3c22846fb62d289c2570ed55ed97e59c5a537900f0a9d78cb8daaefe3e48ab9f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
2cd879c3b1b25f881f4b7ab71b67a095

SHA1
e8c477526bb5bdddd659fdd44606060d83e703ad

SHA256
d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a

SHA512
95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3dd65c58bb51bf743727e8e51c1d1323

SHA1
93cbecaefd1b724eda27d53b8314b3a8aac20b2c

SHA256
45ae3e32051c84c3da1418295abaefe8cb7dc9d9ab9f082afb7036fa127275f6

SHA512
d021fa504a0c98d17a0fbe99e7e1dfd8e044751aa1222989f1be6a73201c179a96a0738ff73d0ec818a5335b2053995d912d5700db0e8e2f919f36a1bd174aeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a9c519106891e1e6f31ef9bf3235fe8c

SHA1
e9a8552fed176a4c7d0a675e47d162bde1a91ef2

SHA256
0d893997e24c7dce595a3514fdfe7e4396392963dafbe9b39d157a656b3f1eaa

SHA512
18ad82feb54ab08f56314069a2af642eece0e5c88758f7d55f0807387907bda6da268ea28122706662ed5a705fbf8d623c09995746b582e96535b97d74710459

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a30ed33411a9bd7e768cb9546ac23cde

SHA1
15a8bdc89dbc57039bac82e70b1a0b0b19df0098

SHA256
72127110e8fff28f8f3560b50e12e7d5add93378a4a5a3a659e9dfa4359cfbad

SHA512
9b01563f39f2238ccfc3e1ce315f9888ee46755abe796ffe3cb88eb92a743bb5550f9c00ca586bf9b53743f9ae2392f7ab209109f9c0e1a61e44c0b02c403ca2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577d8c.TMP

Filesize
2KB

MD5
1f497c78bb1cefe5fae1f2d3e5c467dc

SHA1
12ec3f79d43fc239252d3812f8f0c2edc492bc51

SHA256
e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc

SHA512
f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
db4f1fe4bf1f04c4c5926b52cca5673a

SHA1
74d9413522f4de4c388dea0db4f64860ea826b78

SHA256
cbf1e0a76e0ad484a522dcf59ec9f2697cb0f2ad24a549bc7e62a30666871012

SHA512
3aae401f188760d1445ec20e3601b49425b7b36d379c349d343b4f1ce90cbf23f9b1ae4769818dac0c9ae063b1495c0bc855e5d1d8eba0bb5c57eff92c8ea9ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
68db0e0ea5cba59035ae03538295a2cd

SHA1
a6f4e7ceefc2f20ea3b932d84c22fbc45518cc8d

SHA256
bb12953a44aa60f0f7bbedd3895c2730a428cda3e0bfc9a21fdb8c7187e8a12b

SHA512
3c6db3248db1e025633b4bd567bfb0194530b18057638be2d6f3da059687d0e6dd0e2e8b76fe4e64d2299ef7e4cb5908b0ad3e39d5700220a8b056666f2412e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
1735dc5417b05ac04ae56f018f1dbb5d

SHA1
5466ee1f19b22f6bba275b083ffae0b58998bec7

SHA256
6bf8ee24dfca862ea03e1a818606d36394ce8d31b758f1fc65edb9cfe2263e25

SHA512
bff2c0cc56aed30fc7dc98c0eb046a17d367d864da80d7c92f762089a836639394f08a0697841432bb3fe93b7635cb06d07e65c250f96f8781656cd28f3d1aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
eeba064ce6ea19ea0e36bfc963f30e32

SHA1
d8816e8320af8faf185883cd1cc140136226ad16

SHA256
a13bc0bfc57f77bf613a63e91f7293e0e4101e298203ccb77aff9fedc7974ace

SHA512
0da9f30add4510fb7f71f583dc205eecd30906b53b0aa16046611e9616a0f99b87d396781a2138a9ee197b66b3a1b44bff312dde98fadf9584b0463c61d8b479

Download Submit
C:\Users\Admin\AppData\Roaming\827796ebb4b1389a.bin

Filesize
12KB

MD5
0b14934322dcbf22909e6715f18916de

SHA1
9db64ba630deaf44c0a362c40f0473b4b3f86ba0

SHA256
31a0b4a14bd880eaceca838ae0ef8e13a6270f101e6a0b9eaabc999a05a70f98

SHA512
31548eb805baaa21b1b44a97a8ccc7a4f3f46b5bcaaa5e06c0ae77e26c215915a1c252312020e432a8dd4da5de9e0d0434905477c4c488282ecb9b5eec2ee8f5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1790ffb705e4533d230a93c6aacd66a1

SHA1
fc8f7e9cde616d035ffc756ac19084a1aa8da9ac

SHA256
f5a689c7b8f88aee8dc49334426ab4e7639cd0793acae2755f5845c6f3cc449a

SHA512
84d2f63f9650035f4a2dfd1f448983c39a5267ff7011fdfe20db2cb39498f991342b8e73925b848d3ea1e2685c719e3db8edda44367b4a066914a5aa73fb0d63

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
841589983ac359e9afca59e369caf152

SHA1
fd96f75b08a3fe2d034d2dec549f9331c7c474d2

SHA256
01dde442f83dccde0234501ed65e428e97d01447e9ba0f363a47b9254e6c3ff9

SHA512
858ea73848909d0193125ce7689491d9565892d1c545595defab0745c7c56bfc14b065d38389764f68c1bc673262027043c304f669b8a441f52c27a4f69dbfb4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
dd6225e046b41395d679be9a306b02c3

SHA1
6cd21747eb6f433888209e9cef08bf9ec32c7e2f

SHA256
2287f25e708c9877ac7608408750f818f0bc4788a3841cd1edfb4ebdae0bcc5a

SHA512
fdcc217ee74834586366344bb3127b36070186a407b6e5112755be2357cbe69589969fea2a543965c1a2bb4463ee5f5813870c139e3dfed2b34f364c9e1c992b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7421c11aa63cc6da0e9ae33fa4647e8a

SHA1
5f2304edd1c0d80b3b5fbb78632e6dea2edddd18

SHA256
ae31e11b97ca6d1e3b3863e0216f2421d8ab75fb5c131b4611011cde0aa2efa6

SHA512
2c531031cb0442ddff13c9bc50e78fd1a127bdccae671767e82f9e3ef463104b1ebe28a938e6ffb3c6913dd1800c0bcc28b7af0dbf28ed9254a739f4d6f77b7f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b78bfd2a0cb97289f7e65c2aa485a3d2

SHA1
a5863a97b8a802f5d21684f4ff9e25c941ecffdc

SHA256
7f2afd1857db6995efd1d2dcb80d50681da42c837c63e7f7234f00b042fa6576

SHA512
b3f943b5cc3796cd1fc6d08cf4b2a03c40d1e640c0e0ead8c09f00e488c7a5f40b619368c26e6ae33e8fa9ebdbb60ab26f2192eb57ca35d224deccee4319862d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
e8422d19b613873ea53c68f34be9b104

SHA1
11f6b7e6550189e577f37271298c385bb844d405

SHA256
ab22530592384e0dd1d325a244cb05e2886afffc967295b89149b375c643789a

SHA512
f76446130d9086f330919375621962f0e98fec22bfa5e4b41f4fa7ee286d6038d35c65fd3a20ce21d26dc9af0b99d39a2ed280c403866210ae4a48137dc01c43

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
47980ad4cc5af0bf4d0d0352967cc7c4

SHA1
80d9cb02fd27529a59c87bd019e1f57f0a8f3494

SHA256
28c2820459e5fe36c1e67049ee921173c9842f593b0d2de06e2d5820315945fc

SHA512
3e947937fb12f9d53cb1ef24594e0e2c47ee2869827cee497ce7a6555985194e77a1e57b5d0eb426ada4f1f9bc888011d231d852d7624df26b71a95eca42e9fa

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0692b54d8ea73a37890444c1dfd32b8f

SHA1
68dc0d01e7f099c0ee92c67456b1097278549057

SHA256
d2af78ad57ee5ce6a565c1b0c686a92aff524a54938eb209be1d1e9dbd4ec585

SHA512
93609a7f1ff9dc5f4d396c2c1a4dbc1c99d460bed822d40c5c540af18eef830aaab4f3c5af4cc3837d5dabc5718e055ae88ad586a261df5993b2393d10eb043b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b2351a2872634ce0d2fd33457f206d73

SHA1
9c309a81ac8e5b848d9ff843703d13ace498d4cd

SHA256
d23461999177e2515f7f2e2541abe819ea9a8d49e51b389730a8c89db646216d

SHA512
74a57d9718be457f1cba55c838289032523ba671203a2c3d8b5d09d97a483d2bba354af6c8bb8a82bd87d150e3881640744b399968e2e05057916940ab6e0e81

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9fde4e4a726e389d4ee7c910ebc11be4

SHA1
e8ef0b2d234b8edd5b688d3667ca79a6b604a181

SHA256
9492e7562b8f06500007c64ff9c156710ca6f685a47d5885bc40c18c911435cb

SHA512
11f1167fbfca92d3bc1d900153fd49fee0531fefc747c62b3ca39fd687b3c6c18d7b2440a895a6a5e1ff98344231af79e3c792cfa6a86f005d35f39e775acd66

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
eab4844c5592b2552839b72c0019145e

SHA1
c13d679aa1e9d7d52c842b26a90ad7de593cc645

SHA256
fe746d0bb48bc8e7e0ffe2737d88b7689f8bd17a660fd171cab07f1bf2065027

SHA512
6541d8e5dcfe08da86151f64803402da29a9628f9ea0dec93af6304a85f1d28be9d2dfac049216cdda6a5e30357ff3513908aa444cd52c00517262c096885e90

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f0ab2eccf80e69288b1d4eb2b65c0bf4

SHA1
8a0458f78d9d361c5d12500bb011a6043011c129

SHA256
a20d6a78de45fe09097f66e3b106ca04d754c2f3b106956f0a2b866cbb97900b

SHA512
f7e8bf05b0d2593c9e18ebcb8e8821ad4c03634dd79818f032bc38908184915e9c0f58633aeb9998969623747829893c18f0c97beb724efcc3ae258c1df2c9ea

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c44960dfc49e055925621e642187d0c0

SHA1
d76c0c014849eb6a488dd9e4a1c39285a9a3e2ff

SHA256
e409b80d6ef1ab6b84664e4406d702c521b1676f9df7eef796cf92cfb4067062

SHA512
26de6812096fbc2e26debd4d2eea78022392455ed359b1013691460c51adc241e4d9e1246f3e69cdf3711408f7c47b5c187e1628a3ab3011c9e98527a531b3c5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
4bcd20fc71f72d0ce8ecb3aaa53e0407

SHA1
f0028ca65a882335aa1c096c077b6c5b5b478093

SHA256
f8c90b29437973afb2b115eecf04e1db06f6f1d736e53b3a39bee023f79fead2

SHA512
7f2ca5b2e91d95c406307493bb9f8fe6cc15d862d5e1da686eb939ad8ce3dbdc68f57c11d1846da51c15ffaaf81d06937d7be7aea9a54d43199d57b25a38b4e7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
482065eec7f2f77aebf98e3d44ce6490

SHA1
ce6b88cdcd68668e0d91b332ece0de55488905b0

SHA256
4c829fe473e0dff9b0458cbd82dace3d53f57395294815d0bf7f0706b683c268

SHA512
e4b8a780678c75c864da6f4b673eab08d20b5ace2806f1dd52b15779edc7168c40edc22904ecb769b8234491fabcf4501ea57edec30c23f5ff4e26c4cc726ae7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
df1ac13157342ab4b201fca1e241407c

SHA1
d6b3ef3d3783ee7090442e2d5253539ae925ba0d

SHA256
2de3ef8edfe1a109ea1a6a339b5e93e39a3d1fbbeeb78758fe3feb9c1b75d2dc

SHA512
ac9273ee8a0e6d882332d018efa4bf635fe571010145bce31260e8d2ba1c16549687ddcde45539dfc822fda1896742282fffc3ea8a95a115128b53fd1f67a55d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ea01168e24684327308809cb1e4dd116

SHA1
2b67f13b89d037a62f9a6aa32b04dc1039a2df42

SHA256
1bdd5aa2477a44891a39d82f15c925e98a3ec1d383ee63a7cadf537676ecce06

SHA512
f743a739aa6710398d96a0ab0f048c66e0b0e401f30da2dceb2c09f3a969347cf5f24bf584ac0aafa4424553b3a2ba0f592f1ccd5247b15713a02676c19c7487

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bb38f23ffe0f1bd7f1b12fa77b916905

SHA1
f2d877f8b9a4800af87fb60ed0c298ddbd19d97a

SHA256
11753652e81a8d787e0c44a043ccdf0fae171414256579670e638c27b12f038e

SHA512
a180fc81b0ee34572eacea738020afc4a5cddb577fec51bf01e60407a5c93cbbeafd080c6a365156149dc1a84f11a856982ebaf126d88c1e6fd9d989c8315127

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
b2c359ffd4bf582baf62f6e8adf87a6e

SHA1
8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79

SHA256
ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d

SHA512
1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f5e3743b8d5ebcb953d893593732392a

SHA1
7743670caa2d7f2e5120d7f3558243430183763a

SHA256
38a9af6aa6c988309a4d6ee22a2326a7b1757fbb8933b17b3c2168e269707907

SHA512
3d283eeb3a4692d210d62d0f1fb0292e3f93ed03addc75fa1250e2d8a2765bf68a29fb854f5c2f4a6f08e0e5c92116f78bf1111b2aecbe7d00daf8b300d8d792

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
46c802f3db7e6c3f9aceb2c050561206

SHA1
4909feb5d738fe1a964a2d157b21119191d9391b

SHA256
2ff1bd179e49e1893bc8ead9ea0ad51e3fafd25b9bd76877f16eb7bb66ebcefd

SHA512
dd287cea622e4f507f7e78a9c4da0b7c23633574238f52f354dcb778ac3ef3f48be16ef021c83feb15f9f517376e8624dfc406ebff734cb8c9c4111bad50ec92

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
9d4c5fc396dd11a6e8ce943e4cd01126

SHA1
4e6f37bbcdd0111c8e162fc166e9a881bc6aa137

SHA256
21d505d584ea6c2126f16eaf0d4f606f9234416df22485f0cecde71e50fe1c19

SHA512
b639b1bd9d31d9dc92b26b7a9e706b2177c69e0bd30a3b7ad2d6d44e683a92242920695ce5e5121b4c9e6be4adc34397ccb7bc07221b25d14aab1f5fc07c3dd5

Download Submit
memory/800-497-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/800-415-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1056-641-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/1056-197-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/1148-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1148-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1720-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1720-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1720-15-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1720-179-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2328-79-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/2328-85-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/2328-83-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/2328-73-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/2456-165-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2456-163-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2588-500-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2588-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2832-410-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2832-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2832-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2832-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2928-523-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2928-159-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2988-427-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2988-144-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3192-642-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3192-203-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3260-156-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3260-460-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3284-168-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3284-632-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3728-638-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3728-189-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3996-140-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/4048-56-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4048-35-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4048-41-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4084-29-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4084-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4084-6-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4084-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4084-24-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4140-139-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/4140-100-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4160-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4160-195-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4160-48-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4160-54-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4444-96-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4444-138-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/4444-90-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4480-137-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/4576-637-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4576-180-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4664-143-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4824-196-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/4824-31-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/5084-141-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5736-643-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5736-443-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5844-461-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5844-486-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5932-454-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5932-644-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download