1bc9db5401daddd7c15d63c03cc30e65672c0a7ea1922e2a0ec2e70e5554eb52

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
Size

4.6MB
MD5

ab9e8733a5c654be25da789cecaf05bb
SHA1

87b212e06132d1d6bb0da373ee69555d93534ea7
SHA256

1bc9db5401daddd7c15d63c03cc30e65672c0a7ea1922e2a0ec2e70e5554eb52
SHA512

113e754e40f34e8745f57c8fa2a796c5429f6bf42d3814198ba9eb5adb2926c00c7ca42fd2fdcb232289788bc156dc6d576cabe6feddc9d563f73938d20a9986
SSDEEP

49152:RndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGF:t2D8siFIIm3Gob5iE2nlS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4592	alg.exe
3600	DiagnosticsHub.StandardCollector.Service.exe
1220	fxssvc.exe
2564	elevation_service.exe
5104	elevation_service.exe
1224	maintenanceservice.exe
1344	msdtc.exe
5080	OSE.EXE
3100	PerceptionSimulationService.exe
3020	perfhost.exe
4296	locator.exe
2616	SensorDataService.exe
4628	snmptrap.exe
4508	spectrum.exe
1120	ssh-agent.exe
2696	TieringEngineService.exe
4268	AgentService.exe
2556	vds.exe
1468	vssvc.exe
1644	wbengine.exe
1692	WmiApSrv.exe
1340	SearchIndexer.exe
5944	chrmstp.exe
6056	chrmstp.exe
3736	chrmstp.exe
5328	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\15c5e76fc8648821.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1102e9769b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e48a299c69b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015fb9b9569b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006af9ba9569b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000355d9e9569b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b065039c69b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
5012	chrome.exe
5012	chrome.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
5012	chrome.exe
5012	chrome.exe
1820	chrome.exe
1820	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1076	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
Token: SeTakeOwnershipPrivilege	3808	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
Token: SeAuditPrivilege	1220	fxssvc.exe
Token: SeRestorePrivilege	2696	TieringEngineService.exe
Token: SeManageVolumePrivilege	2696	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4268	AgentService.exe
Token: SeBackupPrivilege	1468	vssvc.exe
Token: SeRestorePrivilege	1468	vssvc.exe
Token: SeAuditPrivilege	1468	vssvc.exe
Token: SeBackupPrivilege	1644	wbengine.exe
Token: SeRestorePrivilege	1644	wbengine.exe
Token: SeSecurityPrivilege	1644	wbengine.exe
Token: 33	1340	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1340	SearchIndexer.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
3736	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 3808	1076	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe	84
PID 1076 wrote to memory of 3808	1076	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe	84
PID 1076 wrote to memory of 5012	1076	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe	85
PID 1076 wrote to memory of 5012	1076	2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe	85
PID 5012 wrote to memory of 1012	5012	chrome.exe	86
PID 5012 wrote to memory of 1012	5012	chrome.exe	86
PID 1340 wrote to memory of 2704	1340	SearchIndexer.exe	113
PID 1340 wrote to memory of 2704	1340	SearchIndexer.exe	113
PID 1340 wrote to memory of 4288	1340	SearchIndexer.exe	114
PID 1340 wrote to memory of 4288	1340	SearchIndexer.exe	114
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3948	5012	chrome.exe	115
PID 5012 wrote to memory of 3752	5012	chrome.exe	116
PID 5012 wrote to memory of 3752	5012	chrome.exe	116
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117
PID 5012 wrote to memory of 1460	5012	chrome.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Local\Temp\2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-31_ab9e8733a5c654be25da789cecaf05bb_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2c0,0x2c4,0x2c8,0x294,0x2cc,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6a4aab58,0x7ffd6a4aab68,0x7ffd6a4aab78
    3⤵
    PID:1012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1932,i,17855802253384633668,16616721412463236887,131072 /prefetch:2
    3⤵
    PID:3948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1932,i,17855802253384633668,16616721412463236887,131072 /prefetch:8
    3⤵
    PID:3752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1932,i,17855802253384633668,16616721412463236887,131072 /prefetch:8
    3⤵
    PID:1460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1932,i,17855802253384633668,16616721412463236887,131072 /prefetch:1
    3⤵
    PID:4648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1932,i,17855802253384633668,16616721412463236887,131072 /prefetch:1
    3⤵
    PID:4984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3624 --field-trial-handle=1932,i,17855802253384633668,16616721412463236887,131072 /prefetch:1
    3⤵
    PID:5160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3912 --field-trial-handle=1932,i,17855802253384633668,16616721412463236887,131072 /prefetch:8
    3⤵
    PID:5252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1932,i,17855802253384633668,16616721412463236887,131072 /prefetch:8
    3⤵
    PID:5276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1932,i,17855802253384633668,16616721412463236887,131072 /prefetch:8
    3⤵
    PID:5812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4872 --field-trial-handle=1932,i,17855802253384633668,16616721412463236887,131072 /prefetch:8
    3⤵
    PID:5828
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5944
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6056
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:3736
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1932,i,17855802253384633668,16616721412463236887,131072 /prefetch:8
    3⤵
    PID:6048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1932,i,17855802253384633668,16616721412463236887,131072 /prefetch:8
    3⤵
    PID:4436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1932,i,17855802253384633668,16616721412463236887,131072 /prefetch:8
    3⤵
    PID:5268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4248 --field-trial-handle=1932,i,17855802253384633668,16616721412463236887,131072 /prefetch:8
    3⤵
    PID:5532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2460 --field-trial-handle=1932,i,17855802253384633668,16616721412463236887,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1820

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4592

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3164

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2564

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1224

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1344

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3100

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4296

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2616

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4508

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1120

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3556

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1692

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2704
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d08046c8a70e19d4d1242bd04fba9fcc

SHA1
e0406aded2104cf728ad18eb01e5a273fcc958ad

SHA256
1dd64bfe26adca0c58691cb7456ba8a51c8b86be9bb8b5045ae2f7dbb6d1f593

SHA512
bf145d38a72cb7b3b24972b13105f907eaf4851e549630d73505d0683a8c131e70caf34b06b2ce4bccda6d57b3be7aff0b1593c51fffa7d7f91746e7e504ab27

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
68c560bcea8950ad63d41e284f7b8bb1

SHA1
08b27775a1c1d1d24d8170f45405dcceddfa4948

SHA256
eb4fb1a909de63c3b4d5c55347282242da66fca38051408a9a551f90ebf4d8f0

SHA512
ce8d344c92c28c12b5e62b5ffdb066d026590d80cf2dcd03ec34466d8b645cd3516b763231d7ec95b7669e328aacf0f80ecf1b1df8a5ba08cf64648418dc8535

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ba0e78a3e8bc91fb842e67faf9146286

SHA1
d6f4803e9883f24a3a062d05e5744db2a135c271

SHA256
64f7ecf565f3363af1c6ee8152592657271c8d87c740748530b9ffaacdd8994f

SHA512
77217b3a0a5f4aaca8939d1818b66a6d352624958aaa80881b16e6f5a1bb4b56fb8c4183d61455d542a1fd9354f81342e9dd3bac93aa57a21be08aa971799b5a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fd64a097942d86935150ea140500e7c6

SHA1
bc200c0dfab773311e434890158378bb5f8a5400

SHA256
824d3d29ce6f0ff9305338eb2ea746eed95df2c1956fde6d8761690ba62009cc

SHA512
7dba6f4e5752feb09c0569ae56dca0acb64eb1ec68dae83fd6279ee2dc8eb5a22c1a7dad97a91d422ce55c9aab453acfba045f3dd892370599c81d577cae8635

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fcd4f262fb3489bd98ee2a3ec5c6f1d6

SHA1
997d66b966db1edf06326377c8ff7a823fd8533f

SHA256
f54d7a164cb5eff8c564bfe07881b6c22064d1bd4c72116a703e4e695fc376c7

SHA512
5ae509f7ef09e84f79d34e7751d34fbd2bf2eda91104ec39dfe47a71ca9d89fc61df353b6cb621dad21f4dd73fb3ac5dbe77613193fb8e272a38f12da925b413

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b9c3a228322288497def778bdd839260

SHA1
275a15406bababa6836469d170cb9ba83dbc4f5f

SHA256
50461b3a9b7d5ef5bc5fa3deb3a6db0c8712860250a45a389b5fbc0c46865d61

SHA512
ecc473c3461d04cf0f875f49756897cd000e37b66f1948d58826aa9ae88a05b7b20f33035cf0791f1d4a6aad813e0a725f75eaa9c3ee8480aeb172b99e197b7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
cecd04aae0434ff525efcb001ac55296

SHA1
f70882e2bc9558f3a39a10f5e1de2c0a9009ef2b

SHA256
e6fa367ce0228ddda3d1131e654f2a0fdccff4cfa3b3ec39950f017091e22265

SHA512
49fd42357c04c7b99c3bfd19a03b897fe29caf661db5c07eb44100da7dbf8b4adee7cece7a7dd698668ee7a4ed70e30ac78e5e9a738ec84fbfcf81c057420ad0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
dc0a910647f15332b7f17d8983a594c2

SHA1
6ce5292874dda359c3dc0b5a5b3f3972202fe1bf

SHA256
c347a17a0ea00563e8724e225b2a3df037b8c7a31f827a3703f3ca1f1f687bbb

SHA512
60c7b70feda4260f35d7a996247ef3c1ec3217b208aea3dceb96abcd86bd9fa4b8ee0212f14edcf1dc550f8e81ab7ba3a0fbb89c5a08688ea262df860b63ff41

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
87a0a3f2d9d0351214a287eef0f64005

SHA1
3c1820d71c6a60c0a3bcccf31136b0c57c581de1

SHA256
06edaad8193c55fba322e7071b34fe46d395103cf5d13ff27e461f444f2b1aab

SHA512
6519d06cd851f82de28905b9484ea15c3c8c154e035cf69f4e23fd3a6f7e13756a2beeec8d931761b5052043ff75f7c4c8e19548a702a809c908f657ceb09f51

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2fb584bed8887d5bc6638fc0aac15422

SHA1
2147f0bf9e77ac26a5572927726e0dd30dd420ce

SHA256
68bbc262b2b3d2c05f595f71f7861a5583ffcebc131c61c52e04623087f618ba

SHA512
6f3e83b9b5d74e68139ccb18a28a867385da08e027fc37f5083983fc76d598fc89c1f64d7710c33f0997fec9ea9c71fae4dac79ccf2eed6140dc531adef12801

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c5563a04c388ed00569ef5cae7c8af4c

SHA1
f1fe501c65911f9416be2fc94adeb7ea6469c6d9

SHA256
d9f141aa12766db19bae8fc522c38a4466220ad324ce69d38652a276ca263df2

SHA512
1dc0a268d4638e7c9867892f45e7c47a2921593a2743dd2bcfff438a91e34cde615d5168628c1792f66a058859c0cd9e2c2f9d0c4ba7d4d3df56ddd353c41fd5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
03d6cadb159bcb6919b5dbf2a7169184

SHA1
1101163116f6cb8682c0c3fd664204fc7bdddc50

SHA256
f636194b61ca90a9a5b919f33601a1cb9d659354f5c97522ab08f62c82160a87

SHA512
257798415c961aff31e17c92bfaad4a82affcd9dfef2c14779fb70ff74f131160506c292825d23f7efcda15cd2eb90b988a7e10162f1b0421042709d36e47705

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9b16602916804b71313e613a9feed016

SHA1
5c0ddee546e1edc82f1f29804a6565031b8461dc

SHA256
f416fd8b33c7eeffe2d432b3227168cd7ccce8deaa8947d32c2967429d6ba8ef

SHA512
001e6bf87af1b3db9b494b06b927e27e74ef9e7ce8e2a3d954d19760cf0be4986e678ef958d75d952a82bc2a8867eb16412d7bc4ceb4f554145185caa115e5bd

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\696138dc-777b-4119-ad35-a46256a441d3.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f9aaa4a7221aa2158e0d8eecf77a23f5

SHA1
e0ed3bfb9ba83d4779d2a3630c715ceaf5036d4c

SHA256
25a8c7c4c1ecb143f814738af2c72d2da008446c1d22cbeba6066b484a3e47e1

SHA512
2b19e9fb96cacbfc91b59d6a13691c7471b61f5b0d3f856d889750124fa3146255f5938636f00114dfcd090f24f447b47699f40a504ccb0c4210386e06a19883

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
89f55681cd116518c116754e0407b2c8

SHA1
f5d4aeb85e94ba181091d6a1ebca93915919c9c6

SHA256
f36101d056932eba1217b54d3ee1c54e0c6c4120087bf1e1e0781625d2be6fc9

SHA512
8db0dc249a77703508e63c8314af4bddcf54ac4f887b26409f743b344b94f9afe762d266cbac8b8097ffb28870d40841c7f64ed60acd087dbc1768db15b1c0cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ac4e3c5d152730bc9f3f8a13a9fa2300

SHA1
d37d8433af7dcdafeb3b0e6f3a299620ee3f539c

SHA256
24e96693178737e188682614af0476133cc3c8f76eba26325741a7659f556f9b

SHA512
56734839193ea6e5b2b9cdb576da228656063a84d1c02e106a0eee00bc885ddbc1f2129e7d182aebe28a02e43f53803cad5e1aa121e8d02f6e139d45850e18c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b4ac783db56525af08cd33dd8415e17e

SHA1
b10f1b4c7af688c9502f56c3fef2894436d5f5b1

SHA256
9d524469f9d248476a006a78c9905e56b824e327c36abd7ec4df8d8cc6c7ac38

SHA512
dd0cbee2a58a5e550b330a3edee695fe0e7fc812fd13d98351392fbb5458f16019f08fe27f9beabe4835071edab9681fe5ae9dc8b4c3d754abcc2b4293ec7705

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
af7b43542e6f0fc38543fe072f34ac29

SHA1
f40b4dbc484cdd675664afe21e9ec94741bb882c

SHA256
e3c21bc387cddb7f265796bf6fe9c3da639695410955681ce6d759727db98c03

SHA512
bb6826d95b3f54234b99f1582f27f6e228cc766360455dd26ff75f5a4c56e8f27b40414922e6543d04120fa9fbac3634d08b0c58792361e7ff1fc0d31225dfa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5797db.TMP

Filesize
2KB

MD5
8e5632bb5baca5f24f88c9e2a8eb2b6d

SHA1
71f7dee86640b602595b40c6a65d7ed4498cf00d

SHA256
88575950e262396bd009db3c75b18b3a1cd44b7b869b90f9b2c961ce9b74c1ad

SHA512
def476d83ba944f2fe83839108072677672a230218192751dd5e37305d42816e2db59b6f368fe8d3ca8848542ac3e3732dea3a58187c1e14f372ff2f721dffcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
72c284d32c41a103144a1fdef7530f83

SHA1
9ee19f57495199a253c25ba8578ccae274da5109

SHA256
7ae2e054726807a2d0a11ff13e816ee1d8fa50a8633c0137180856447daf0224

SHA512
54e93cc4ab74e013d76d39a70c765439770c7a31e359d951f797d4bb667db4d93740f5515adbd1954dbd66fda4ce64542f7e491d7fbfe714e28c5422966ef47d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
d9fa94c4f37fcc81f9e1aa119032b00e

SHA1
98db4b046df280961f077d2a56fbea4edc94df02

SHA256
3fbaf79d3229d547aba5fe68fd501b9a76dd1485c8854a06803de87f60893b49

SHA512
1cba02bfbe03f107d0731fdbfbdf9e54687bb38f5cf8f90ed7db7a970b0030ce5d0849c4245ce34e84a757b006ead56d9a04bb196c63769e474b6c358ff24201

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
282KB

MD5
ab4af4f4483bcabf129b30022ee244e1

SHA1
a158fc3cccdb8d4b45af98bd1cff6c136d80e8a9

SHA256
8dfa950632a693ab7d218f7e9ae1dfedb532656828239ded6f92603749fd70bf

SHA512
2fd976e7a12f4c292afe23bdc788fb050ed098c189d7a9e6398b48ba8d1a10fe76ddae1485782f7f8b2bc24251a8dcf8c753e5fd519807fb6a467fe237c686cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
ad6c3942cb0fc494ea027ee6be9936eb

SHA1
7cf614d1635a6205ed70d6021916ed15a1a90ab4

SHA256
0c013621c0cbac61d18b2f23fa7e2301b56935b1c2f0e9d585b688edd1e4cf08

SHA512
d89c70d030e59840fa20849d8f67d4957200e3817509f968127a40df4f496db9a970e2280e62c3ef2df76adcc5acef22890d64acd336baeee263805f9f17ec1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
5ecd3a389f00347bb234a1bcfaa55bf4

SHA1
e6cc2e18113ec68dacc07273a85d734c94efeeb4

SHA256
3b7f835ba52b9620bc26c0b546516d3397750b75344724582701554fa0e84361

SHA512
f2f9bfc736baf7f4ad4182ad76a923d2528f68e8f830636cf347bdea57d18c68585c3f9c82048803a37a4d097a63fa92252ce1960a6c11d269133f726b32c973

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
f793788006e4101b132549b1ccc601fe

SHA1
12b5f317cb8eb6815dd633d8a204ed7c6e3d559f

SHA256
6760fdf799bc802a0c375d9af0a10d01fb1d844116fc82e1545caff3dac28083

SHA512
c0d632b5222fd45226d900a4614bf1f2e64187b7a6d79b26addcfc2c421ff4cc5233e447884a0a4e4b0d9449793d524d3db85c952a2d337dd51651174f850485

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580d3a.TMP

Filesize
88KB

MD5
db44ff5a15cb99b25f6c677903b69dba

SHA1
2b69e8f328f214849656aef5c6b9f1b12641cbe5

SHA256
8d5b1bd36af2805a5a0746711da82e0eb0ac426b0d2675a3944ca56434060056

SHA512
6387af025a6897a221e622a1284addfd0647d20580dfcb251aa8261ab039f8dffefb5dfe1ed72a1c89d06b9b7056b7c138e0c5b3fd016b05555e6edd8673fb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
ccbffe7fef55689076550e45c6e185a1

SHA1
d2e4a5e5a86a5a31a2dcc1ec6937a90a6fd0568a

SHA256
1971ea3cc59dd40926477e2b3f717c68ea1a52c3ede388a97ffe503eee9290db

SHA512
4f433d91a29dd2f9e7fa7b64ce0e6c08668aaba6c6df12fa11ec2eca24704208f01467938c1ba17310ffb37f610a2483bbd5e8970ebeb1c7c26e4d9385a2b43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
f24807950a758992c0905d1f702747a2

SHA1
9c67c35115f631a642b7a56fb697e5de178a181c

SHA256
5171396e1e1f2f234ff84137999534d5648a4512efef03fb43f0fbf54b71fdff

SHA512
f4c45a48f007235276977cd82c2c46c1a591660d3e7beacb7967ff78e663961617f9cefee74b41930e6b5fc27f439d9cb6e4b4c25e41a6341bc9391e5968d916

Download Submit
C:\Users\Admin\AppData\Roaming\15c5e76fc8648821.bin

Filesize
12KB

MD5
60bdb16dcb9d4603ea5738897ddfaed7

SHA1
7ec3c5cb08e1e44274c00ac5a8e5936f8d31bd78

SHA256
90cec3ee3954e10c4ce6e26a0b17a1ea9f623241055ff29cc9f269350451613d

SHA512
786124d751493bc6132fc34a4357c80da918b909c22a40cd729f5a5b6cffc986d92dabaa6294e889521fc39ef41033ff8d1d697e58b9489bb3cea85442b9750a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ed2cdc5783436a7fab0df04a5043ff7f

SHA1
f3ee2d43c1af5239bf3e73c9780814a302b29882

SHA256
1b0c91228848badb191fc654707133114538bd42f6f0c5aec6a49f0bb20dd059

SHA512
067d5176da953db2eace9f0fb92c5ffb374c8a4e0151f42fd8f31525ac07b1bd65b99b956b7f461199178b1a8161819af8e328a7c035cd942917aee12d4426fe

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
18de947212b2ca9718c1f02e6ea23c85

SHA1
6b9f263257ba600cef826ba7214337e81be39a13

SHA256
19430114091b88c5db0b23b93db837d7550619438010e2735caa912918f0439f

SHA512
e699cff5b102f18d750e95881fab559318126ce1f0a2612cd3c7c4b000ca1fe9231e8146aeb926669490b4cc87c0de03f580fc54b1e61ce534c073d9a9e9a875

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c2e17a80df264e00e1f6b5a5a886c812

SHA1
c354d12941e2940daf4d4f0552f162af3783b1f9

SHA256
621b75151e37f90d02b836970883b69a506c82e702d80db73cde2a4f8aa50eac

SHA512
67ecd557b73daec4fc2c857182875e6f58e0534bdf1498975324c7a82f0a7845e85954fc45b8b396b672303a6ded1b176e95bfa0d15a814b93b70b9860b66508

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
78961c6081675855559a6e658f0fd876

SHA1
a7110dc6f2a62ea658335f94ab415b703731ad38

SHA256
0233b62513b0025cb6276a45d32df471271ae6b1f63d7c6f5051283c7e96667a

SHA512
b4790212e6ab2fb138ebafe950ebc0b265749e4b6cf54bc1814f3c3065a6f459d3020a1930da1fb735b8381be1ec2c56b58c6e210fdc504e8c649c8a47de2d5c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
17aaebc5aa37de1facb9029118ca7e64

SHA1
6d72755fc6b9028dcd47f58a495f9b67bbbceaa7

SHA256
f730eea27d9e83a9c7e2bad6f94cdbd4f352bc6b8927e47c7cf3af743d5b5417

SHA512
cc5514caeafeaeb84b2453c7783326ee56681c12a1b738fa53be40c388f4bba6f092070d490ba5c9bfcb7ae5ba472f26053b6cdf457ce56361eb488e74cc3edf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a83501045b9f3c8d3d72c6150fe3465c

SHA1
92a6c8938ebcd584b20f126d863f8d93153eb1fd

SHA256
3af0eb175675426a55b7c60518e12e84a524fa24780f3f213d33da11476b9693

SHA512
8061168bfb0293a5024b107f0be545548d1c99404bc046c6b14418748affe0c0680f4e8547754f2022b203f2089a924490fb5ac76805ab0930c00bd4f05fcc2b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
785d7570edbe0681ff42cc1d2416e84d

SHA1
35fdba60a1ba803886c772a23711567eaf4fa33b

SHA256
aefa95e0b068efd5f333bac60d3e66ade4c41dd1a6afd444b23de49ed2c428b0

SHA512
2138d20c6054be5c069024160ddc32e743cd73584cbf5789aa9ac41d40c6af25c07f88fbadfc110fcb6f987da02555fa2b817e7f98f9e236fe490007838fe02d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6170bcdd9c9bf5e3ce482e2d57c9f04e

SHA1
f5116cfbfbba8274bccb79edbff84e34124fe041

SHA256
416ef5f82cb238bb4dc83237d245b0b959d60f21cd06c8b3f8c86e0d26c69ccf

SHA512
a0a29acb513f4e293da9fc5fe6326e62a23809656f4e6272c0edc7b571a0744cceb7aa7596d4299f0c2b340d0991168037346caec82250da1e17bc21524762df

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
27c37eaa9df81233387704a1f3582150

SHA1
befe23d8b37dddeb508f016689f7baa2520d5e88

SHA256
6c6e3e8315c04ab5f173ff13ccc91f31c038c76e2d6ddb7738cf7515204e2433

SHA512
ae6df967ce3537a3a95241599a4d3094e8cba5932ab0c6ab1db9e78ec056a9576ea7d795e1f63a97f23d39e928d2fd28d7395c35b5158c8319d148b0ffba7325

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2d17d29724a6809730debbf886b6cf99

SHA1
678c6b693f14516ba99eb59d046f1a3a3d7254c1

SHA256
2086ec63fbb4365084a39253ae6633fffd35e160d61ce7940c8b49c99d3102af

SHA512
23c06c68469f6e972630bc517b3ca6d29807e613a64e0a5cfc35e932499d03c289cb35548875036df3ab034b96f39e93408f98f6c3033b50ac0a1f3642a7f8eb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
63fbe338a80ee1542c66f2e98a25dfeb

SHA1
08648b98bcbae25e23186611b9f61980edabecba

SHA256
224cdf37eb8816eb8f6cf536444e29360246d48552b9250301f8f4bb306e1812

SHA512
b72c3445011e932e396ae71a85f6395aeae00f4e72866ff6dd56f9f3043465ec9392ab157d3f4228d17679112a07a7e9416a3533c185c002ae3852e91fa59eb7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7732f396d6fa2a32c89f00ef38e451df

SHA1
0a019b7dc89624f7286a2df67609e4d2151aafe1

SHA256
3e60d6cd54cd7d28ccdc7f4d274788dce939a0b82c7681fe6075a6c69e3fd1c1

SHA512
b3db9591a6a00990c8a49f9d13bd027b1e825454126b3d7b0316a598341d712b0f36e83054405afa08350f5566d208a480edb067bcd29458f403275341bd6f96

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
edd0041f6745eaf31a1ec14fed58b503

SHA1
653c57b9a00457f1f0579a93d9a77095e66c93cf

SHA256
88b1c94792fd71bbb905219bf7b102934ac941e1a20c9b2b4ac4fc9729c951c7

SHA512
feeb8a75cf4610a4fcfa4f6fe0fb4b0a9f622dbc691c9d47aa33963cb74632ab5da95a8b83cb5033d074482e8c424868279915c507476ddc599fed4947935185

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ed206ba01ac3026059d356c8c5973a18

SHA1
3c56192c155232d24df511655ef54eca1917859a

SHA256
f190697b41cdcd12207477100e895126eb7b435dd41fa42827e97eaa56b23502

SHA512
f115fe86fab2f78ba466c03226316fc47418e054d07b03e41dbb0bc8c20657124ae7c4c26031a910800ea1c6ad6dd0b07a35a56ba5d58a9af0e987a23eaf681f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
3f07afbc95aa5f7b0e30e437c946b51d

SHA1
5d7d0acbb6e26851d841b108e7526ef153574e2e

SHA256
38bf78bb486cd9df293d315056930c241991dc280d6e317422805faa285c5671

SHA512
a4cfccca351243027bafeb67cdac9bdf94ad0d170cfa39043976fdbc88831c6cd4886cd4ecf0edd3f06ffc8d5297fcce8c9064acae1b333f6627161cd5d69a64

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
af3bf4f743756c05d1f66a59a41cc71e

SHA1
01018bd6d3ecd310bd5b7a5d171cdf50e32673c5

SHA256
a7f620ac5503b3418b0bd0d58cd78f522fb9ab5d13e2a2e0318901737e2b55dc

SHA512
0aa1ef002b5ec7a0277a4708ce187b6ca4d1d1b28111cec9c9f5a2677aabd938aefec0bae28e58a60ae3126bbdd07f693ef7431fe364a0cdf44c2a5dd8170801

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6828f0a3e603ec3d08bc7cb1824b80a5

SHA1
4d42b63eb3762d8c866d4c1c4a2c22f5dd417c95

SHA256
b1f44de8d570cf77b3d7a4e5a0c2cfff2fed482978d8e03e716199a5a9ec4511

SHA512
bd27d4161211869b3537e9630c66733689306a0cca66fd7b68e865a248d1ba08631d960ccb0708c21d2d3a0b60a9819be3d96400e1544ecd0edd22c42637ccaf

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2c9c97582bb85b0af5a0f224e3f7577b

SHA1
d8c04f9240b57dd3f0d9b3a8be99b6af9e70af9d

SHA256
b359fb6866b30a0c4261855d7955cca07f51a842e5d44fb388d743cc1e4a2af7

SHA512
999631360bf8e57400b4e124a5c0fc88539715717c4e131f927ec8647683182fb1e49c3254d318e51658475a2215ff4cb84cce1534a59b89951b0b6b267424a6

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
63c24fafa38c1b0109d7b33c1be0d22e

SHA1
9b3ae6d17378fa094069f9aef62df034089e3083

SHA256
5928caa89b1d2b710b06e2032deeeb129c5844abc95bb506a96a2181663fdb20

SHA512
1387ef7a3e1e729ec2d22463f44463c5645c772a8336127bbbc7532923abb04b62bbfadf10c12c2f6b50d1ffb567ae4059efe192f3fc0ffdd90ff0cafaacb6b0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e9116594eb6f073085b1e9a3ff6d93fb

SHA1
231ec4d70683ae5f4639a9bea3019b864291b838

SHA256
9e26df393ae3cf9ff0c619cb0f4def819116b46d9cf135111a9b5c7eaf9169ef

SHA512
4387409715aed8400d4bb5941f5726af9ce4fac68893ed6f74d5c474421f5257e2298b962648dfe886160e926a3e7367a14dcade6f349a6869fa5cdc5f25db40

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
c9999c866c5cac944a2001ad09d4e470

SHA1
d6baeeb43be1759a68a5b814734aa3f55b345b77

SHA256
f723cf2b07df4400d2b77455a60e5bfbc8a0c6d60ea3bbfb7930a95da15e1fd9

SHA512
b5ebbf4ab2198fd6c589a147e3d4498b4ff2ef93d5899dbc7bba3ebf5d9a2a3938c6effc55482fa0d7335d85f6c443de0f681c241df40f53b9a3bb33daf53f24

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
eae30b99bf4a5861d3b397a8ecaa59bc

SHA1
ba5f16d13860ea1f5fe06b2c4bab6c4d065cf1f0

SHA256
09f341666b5d6560362b76d0de8b8b0dacca3db0fb0c1df1713b25ded1641e85

SHA512
026cdaf601c7e45c8f675e02a6863b49adb1b1f7c85164ac0ed0cdcaf76078cd190320579036b84b90d98e3458ac6d84067c27c7f98385087b96e105f84ad1a8

Download Submit
memory/1076-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1076-1-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1076-25-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1076-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1120-271-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1220-55-0x0000000000970000-0x00000000009D0000-memory.dmp

Filesize
384KB

Download
memory/1220-76-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1220-61-0x0000000000970000-0x00000000009D0000-memory.dmp

Filesize
384KB

Download
memory/1220-74-0x0000000000970000-0x00000000009D0000-memory.dmp

Filesize
384KB

Download
memory/1224-100-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1224-88-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/1340-703-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1340-385-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1344-262-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1468-669-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1468-274-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1644-275-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1692-670-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1692-276-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2556-273-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2564-480-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2564-65-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2564-71-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2564-261-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2616-615-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2616-268-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2696-272-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3020-265-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3100-264-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3600-51-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3600-45-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3600-259-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3736-568-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3736-590-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3808-24-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3808-12-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3808-655-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3808-18-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4268-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4296-266-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4508-270-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4592-40-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4592-27-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4592-663-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4592-39-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4628-269-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5080-263-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5104-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5104-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5104-260-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5104-668-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5328-585-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5328-710-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5944-541-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5944-601-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6056-554-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6056-704-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download