e098c074e02142036960b624a5d7677ca52011e9cb673e1165dd6e85b8acc943

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
Size

4.6MB
MD5

de9f7445e4515ffc6965b53d138d64f4
SHA1

4e950713d0bcd250801fe8e226091bf5a4ed35b8
SHA256

e098c074e02142036960b624a5d7677ca52011e9cb673e1165dd6e85b8acc943
SHA512

404faba9755e89614cb654fcae6b89422ef2817d2d6e29faaab2bbf0b32ee7c22673a4a19c93c22dbdca373911a2cd502b674367255ce272b145df017d2c4beb
SSDEEP

49152:SndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGQ:42D8siFIIm3Gob5iEFUf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
836	alg.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
4360	fxssvc.exe
2216	elevation_service.exe
3672	elevation_service.exe
1556	maintenanceservice.exe
5004	msdtc.exe
5008	OSE.EXE
2316	PerceptionSimulationService.exe
4348	perfhost.exe
3508	locator.exe
2032	SensorDataService.exe
1820	snmptrap.exe
436	spectrum.exe
3812	ssh-agent.exe
976	TieringEngineService.exe
1736	AgentService.exe
1500	vds.exe
2000	vssvc.exe
4392	wbengine.exe
4316	WmiApSrv.exe
2800	SearchIndexer.exe
5840	chrmstp.exe
6004	chrmstp.exe
5136	chrmstp.exe
5268	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2f8e0e2ac3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae075e629bb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa5080699bb9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004dd810639bb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133623215921542037"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075c5fd629bb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d13208629bb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007277ef629bb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae075e629bb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3496	chrome.exe
3496	chrome.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
3496	chrome.exe
3496	chrome.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
2500	chrome.exe
2500	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4580	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
Token: SeTakeOwnershipPrivilege	752	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
Token: SeAuditPrivilege	4360	fxssvc.exe
Token: SeRestorePrivilege	976	TieringEngineService.exe
Token: SeManageVolumePrivilege	976	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1736	AgentService.exe
Token: SeBackupPrivilege	2000	vssvc.exe
Token: SeRestorePrivilege	2000	vssvc.exe
Token: SeAuditPrivilege	2000	vssvc.exe
Token: SeBackupPrivilege	4392	wbengine.exe
Token: SeRestorePrivilege	4392	wbengine.exe
Token: SeSecurityPrivilege	4392	wbengine.exe
Token: 33	2800	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
5136	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 752	4580	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe	83
PID 4580 wrote to memory of 752	4580	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe	83
PID 4580 wrote to memory of 3496	4580	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe	85
PID 4580 wrote to memory of 3496	4580	2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe	85
PID 3496 wrote to memory of 4340	3496	chrome.exe	86
PID 3496 wrote to memory of 4340	3496	chrome.exe	86
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 5016	3496	chrome.exe	113
PID 3496 wrote to memory of 4444	3496	chrome.exe	114
PID 3496 wrote to memory of 4444	3496	chrome.exe	114
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115
PID 3496 wrote to memory of 1480	3496	chrome.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Users\Admin\AppData\Local\Temp\2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-08_de9f7445e4515ffc6965b53d138d64f4_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5c0dab58,0x7ffa5c0dab68,0x7ffa5c0dab78
    3⤵
    PID:4340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1856,i,12824197256565048860,12112945045706952815,131072 /prefetch:2
    3⤵
    PID:5016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1856,i,12824197256565048860,12112945045706952815,131072 /prefetch:8
    3⤵
    PID:4444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1856,i,12824197256565048860,12112945045706952815,131072 /prefetch:8
    3⤵
    PID:1480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1856,i,12824197256565048860,12112945045706952815,131072 /prefetch:1
    3⤵
    PID:3464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1856,i,12824197256565048860,12112945045706952815,131072 /prefetch:1
    3⤵
    PID:3904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=1856,i,12824197256565048860,12112945045706952815,131072 /prefetch:1
    3⤵
    PID:996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4400 --field-trial-handle=1856,i,12824197256565048860,12112945045706952815,131072 /prefetch:8
    3⤵
    PID:4948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1856,i,12824197256565048860,12112945045706952815,131072 /prefetch:8
    3⤵
    PID:5128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4820 --field-trial-handle=1856,i,12824197256565048860,12112945045706952815,131072 /prefetch:8
    3⤵
    PID:5524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1856,i,12824197256565048860,12112945045706952815,131072 /prefetch:8
    3⤵
    PID:5692
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5840
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6004
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5136
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1856,i,12824197256565048860,12112945045706952815,131072 /prefetch:8
    3⤵
    PID:5900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1856,i,12824197256565048860,12112945045706952815,131072 /prefetch:8
    3⤵
    PID:2696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1856,i,12824197256565048860,12112945045706952815,131072 /prefetch:8
    3⤵
    PID:5748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1856,i,12824197256565048860,12112945045706952815,131072 /prefetch:8
    3⤵
    PID:5328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 --field-trial-handle=1856,i,12824197256565048860,12112945045706952815,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2500

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:836

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1012

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3672

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5004

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2316

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3508

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:436

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1004

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2800
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5496
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
31398c156fa23541c3d9c6b232b7bcd1

SHA1
9ef70e19a243cf6141578fc8910b9f67e79f7ccf

SHA256
bdc1248256b709521b38cad010394ac11054b071bbdc8111f241eec0620fc839

SHA512
c637c32570cb9ebf173dce24d41e9f67509fcff578a9b5d01dad4aafcd531c73545efbfca872f39d34a6890b5819f73c906acc313b7d87f7609d560e61c63615

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
c77b484288bdfb0503398feb5621d5fa

SHA1
f1908f0a9ff921876945f31e4cf2af62682e4684

SHA256
169840d97c80bc6e14f5cee73a0e06726149046cdd468024091de086367200e9

SHA512
855e6faff287773b63f8d2a4e6fbaa7eccbbcf8576d636285a687701a17b4cedecf5694a220a55c707cc7976130492a25ed26dc3de2c41d9fc3aaa2224109fb8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
503d3be5a91c75a6cf9f07175092c07d

SHA1
957a9c9f574e7bdfb75980a2adf74d6aeaf2dd11

SHA256
8f010d26cf5233e2f8a51f0069c01d606d337dbe2a6d1f3878bb4de0531c4d73

SHA512
3da13dd48ad0920c597982ab05433a14adf573ae8085e4e4991e97d8dbfb1b6a066089c04c4d53ad033c946812c0c9027e031b97c927c944abfc3e46e968b635

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d62477bbcdec57ea3c433e38e867dbe0

SHA1
02e8ce8aeb134c8395e6c6ae287f817424bc70cf

SHA256
4564d9caa14b2e6ebee7c036aabbc69a8e8c342ea27ab7b24d4d89226ac90b3a

SHA512
3c14e932d7adbaf7c9ec40709d8e1d4718d97ae45d75988a6202e6453d3a4fb0b63eb491860d305eaa8a883d59160cc5aad1f76884b72f3bd980076c2a4fffa3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cead34077be7bfb93134f96320d1f18c

SHA1
685b7ace40af40de24a6fac97ec7f2dc8b0d3ecf

SHA256
d3290b34e45d92ffa3afe083f51d9d18a9adfcd44bd89efb7e5736132c083abf

SHA512
481a40286b2375d9f29a1955f41ddfe7fa79a0537bb6612664755f81c7dde1ed4975b30d644705d69ae2a65937cc01f4a016c734f4990bb0c2985d715a2f976f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c96cfc278a5e99da8fd3e825894fbd48

SHA1
11f253fce9f985675431013626065f8a16434093

SHA256
9375c0961cbf6ab6d7d6ae54b16fb89413ae64d5fbed7ac18f771b902334596b

SHA512
5af6a34ecfbc94240baa54ee3b9369c8fda64deeb5040c1d8fde973067078e8483bfe653ff4013fb115c4168c34d7c52f745780cb699ffdaf1b4253f84d082e6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
10611749738867cc06a69e41a19da833

SHA1
570dac648f609e08c64897e9dc5c5d69ac3c73d8

SHA256
12519eaf0e0ad564a36e75c2b477085175aab351bf8a609f3a60f94518d50cd3

SHA512
64e1927961f76b8c4747954fe72f8b5cab6204c4ddfa23f81b8f1c2b87182f7c8e595559d1b2f63ad1d52e744c01690c886638a9c0c55184a5ed36e4224e0435

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c2e2619f1ff0f78dab15bbc14bb19ce8

SHA1
089c41f395567984f63d2c0c2f07742e017ce2dd

SHA256
cae2935b87c4f1fa30ee00f00e38574d0236a01c4f6ea7808db778e9687a74a3

SHA512
c1f67d66d2f52505080f895fe43a2e09b3e3c79c7dcc51edea260eda254ee8ea54a6405594c2d5a8248d047323f6dd541d2c932787ef8efb4b6dd6d06976d074

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c852fbb3941e31479826836f7dcfc7ac

SHA1
db952d06eef9d09bdee394649b4c6a2b1bf19e74

SHA256
9a87836d057c0408ee2e9fd166edd9edf212596b37aa2d6cca0bae12abb87322

SHA512
18ed44c94aacbbc5d4b599efd431ea9a846a89cd26114c89d2a89bb84cdde2253113f3162c10fcfeaa834f980da0816cb1720a9e1b43b948003c239b2087769f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
161ad023e54aa4c54b83670da829623a

SHA1
ed82a50bc05feb2f3cf78d41bd73e31b3600ffb5

SHA256
1aaa8be0223ba9bc00e7f7e0a1b4d92f712702f2059cc3020a6bab44633757e2

SHA512
0f8ea46c76d5c8f25b3376b36003af26aff6343dc03ce267d3e02b57e0aedf0b8f66a24d75d36d2ef8e71729b071f6b5b59217adb5addb62b2b1ab2f7f3b5f09

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ab46e35e157b41f2ab0d95471f6005e9

SHA1
3b29971d4552c8821dd2b3ba2b7d220ab49d89a9

SHA256
ee6100f2b7fe997a003b92391ac590f6c0d69853c4fe0503cf288c37e038f8a1

SHA512
44cfe6cf9ab1166a06d912cad76029718171cd42b794cc3828cbf5a4fef813ef50af95158ff526e019ab2e0dcbe68a65abc1e2634b493ecf9452ac132aa2b8f7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0eb5fb357197093fab29317a44b63e55

SHA1
688e7192bd8d5826941f27f5aa76c9dd13706846

SHA256
9a57ec041cb18c7348cbf318185bd549cebbc8a173c546b7c9a5a159c0e78929

SHA512
bbbc80e776adb61391e7d0d322a15d66e66fa45a7050d66ee270ab90b33c84dedebd8913ac4664b35ab4437dd1dacd73d51795ec529cf7b58ae4fc65225bdc63

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ddd2ee7177ede332ab0ce5137f83bfdc

SHA1
a80b747a8108da9aa9d1c9a3f1beeade3979595d

SHA256
ab7ed1f7a9c7454aa5cb9245c7931fac4aa75a38e99035b8b0c6571958eb19d0

SHA512
56a2cb8585a2c42749f1aca73a387cede5060bcb97185a4ba97585619f1a59d3729e16c28faf1adf548a2852e32f08c3f5682bb3da7d2e50df415277dda30565

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\2737cc60-4ab2-4203-a31f-8fb969120989.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
82e2fcdd040c44e17ef99e3925118f4d

SHA1
d90c5738888afb3aac32b97b73632b2d681a82aa

SHA256
bf4332623b5eb7103898bbbcfc1a6e6523e1b4775b74b5b6245a73ce0896b2ff

SHA512
acf5fa46c4099406ed6448e29a60d158e0039f3602e19d22750186fe646fe866a55ca4c679833420581d2e4f2be5ea6d45a9c6460b39bcebe96496411cdf0b25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\07d90d85-22de-4c2a-b18d-64f91ae9b996.tmp

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9f600a73900b059f1dc570aec97d50a2

SHA1
2f527d1711ff7a53d742984b336b15efad04eb39

SHA256
5611ebbdf774ddbfbbf4b7cbdb6511020828661bbd8dd5c808f86c2dc22cb37f

SHA512
f9c00789077cb437c3e6e5b95f6bb2c5beea9dad9d33254eb96efec2556dc57bd753995140600995d5e79c048ac41d3941b7eb6aedbd434276cc3c9bc3ee4fe8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
fee6711edc569175ae1dc11b463e539a

SHA1
d2c51ded85c94464c116db01510ea79706394b47

SHA256
a33102e5d83d3d64fd3312fc11da92183a07244df1da2a5fadb35fb1b6ebe571

SHA512
fff2b13e0f9b314010d03ac3273eead637d476757f11c275a2493d8d7f47baeae6063e7ec93840eade973f77798c65f6acb17324671a691529bb108bf2dd58f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1b2e3b2bc1c9d351c498b65e9493e8e8

SHA1
9fbb6a94fb28d22a8c14d294f3534d4e4174e84f

SHA256
6703d7688f2fe8e5ca55b85ea88e7dcc330a49fd912e4e94f63edce2ec62601f

SHA512
bb7622475e6555c421978a0c482aa1b3a893fd48557d968cfbb448fed95c4ec702d62d2a5852a86fe227bffd96240203811dd090faee6e27fb80e24fbc723b25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57803c.TMP

Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
021c923df84ca7bb62ac1d7c5d1270b1

SHA1
ec1f1544ada926049fb934a0bf239f5db3be9afc

SHA256
070ebe39241183c8b8324ebdf4b68ac74b82524e6ecbc742d503fbe5fb6b1006

SHA512
c8a39c0635397c2f5fab03621c566f1603bebbafb589fcd420800347259e773f5929037bc991f45024ffe77928c27a6e1263ae046b20ddfc3e36c631e1afd631

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
eeb3ce32ea8886bcaf7e98fc9af773cb

SHA1
2c601bf357e86397536a3b26d83811a1c5e57d73

SHA256
a6b2a44afb2179dba9f9d9a9fba2731b1ce68263a7f77be69b3f6e0e7b616bbf

SHA512
7839ed885b761b70d5286e5609a2d16cf40ae899938822944625275c4450e7f16f646a925ee2e1eace2fde194b7ba2e48ecc768ead5ddf625b2106b1ca170f5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
265KB

MD5
abb68d0bfd2dc382aa13b4a7d140bacf

SHA1
d442e42f743402a733072ea77bfd87d26e698d19

SHA256
db5a9cdc4b264476a2c2d24cf0a44c871d208d69438854fae4c975f306a014b7

SHA512
988d3b7062c78fa3446d5c9bfacd28109e54f38b7feaeb85d75fdefddc2799fca06c91d613a77af32450c5620098f357b7572a531ffe95b9d3c2e621f1d61085

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
265KB

MD5
e835398f652fa96217070342b09281a9

SHA1
2e45caaa6726d8c3ed9acdc2483e7ac586d3e950

SHA256
ab309126602151d2d43e0d38fb367ddbd7b241da32e53241a93cdb1beb9a0366

SHA512
a83048819f8833eb117be487c9a6535979a19cac5012b5ad2f9e6a9c7a3d650311b226142f388f1a58c0725b77183f723964485dbfe30811e8347ae15df9167b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
3ad645a2218f4d259279af1167106e37

SHA1
bbd76d41532c2ac7016770a3dda2d051744c65cf

SHA256
2a75d28bdaf1dea2f896d1bb6a745108934d92e5681af866e0d89235fb5761a8

SHA512
930e9a65e8d85b217bb048434e5ef70483830ad8f79bb1a1a9eeb76ddd88235ed905f64d558acd3038669b33ec84426cf2f6ea43841ed6337746ecb14eafa6be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
74316689b3e7ab2af37f519fa371bdb5

SHA1
d4e949d79b549f04cbc159af7488e1ce9edbd382

SHA256
cb518f4dfc39fcfa9398e875e2244863877ad107c83449a71ffd2efec69dfb5f

SHA512
a61ad7d96f843e74455e1ce03a5dec00f05869ea5b9a4e944868bc967a1f713f0ffe35dae097ff4f210c3a76e80b177832f6f820f542e671fabda2f8ae915702

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f5aa.TMP

Filesize
88KB

MD5
223ce012f265e9bf9addc06bbcf6bba8

SHA1
c834b1e521fd6287e24b7d0cb18d54c2d027218f

SHA256
3d6266f11779176250def1bded2dd4066ab249aac93800a6f4764991a98b90c7

SHA512
4ab994f3994ec2d59ab2b454e4b3cab6c3737593e1386f82ee167263baa1e21a191c83416a726761383a5eba7a469ae3005d201c0e73163c3388e9c3f4f19252

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
6448bdc55e0b8c5588855b76f41ea2d0

SHA1
36365a6bddb6ef29a4db7dfea8a13e22c0607366

SHA256
db344fe2e88813e7f4845262cc83ced4cfa71a026a3726a5584879bd7f3bc57b

SHA512
91404681e82aa419832268cafca2339eaafee4b10f4af0115a38549230c6e96ba4d23cde16e4f328069be9794a6656bf72b079b72584a400a9154d20a85b35e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
981a85ea67ed9f52b185fca1bde279ee

SHA1
6e551d7b1c95db37f146e0283d9020ea7b85105e

SHA256
fde4fb4541269b13000b3b01bc304707f31f9a53e72d0d5c32aa8db78a0d9d8b

SHA512
101d61ca3e000f180edcefb7cd197e2a3374700be7a2b5a26f3a65f1904cc7d40a74cf8313231bfb659fea6d41d6a32a6e5fa7e9c53b729a3af9478d1e06b168

Download Submit
C:\Users\Admin\AppData\Roaming\2f8e0e2ac3136770.bin

Filesize
12KB

MD5
6e112f9bbe679ede1cb9b137dcebf037

SHA1
e786cbb295aae6063ece68a0a30e7126b31822a4

SHA256
eb45f12cd5155f04569452c4846185517848435c426184812144f4dc0acca726

SHA512
b98a3efe50b48970eb49d0749a2af8ec949dee97002c5b0910195cd27a08d4e4f521c9a288d86c911b381088334410a9bb2f16ad64389bfb98f586626bb71020

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e5b6c79295eb54db8b7c00a9732d2269

SHA1
34c4bcabcdc3ecb15ab3b50b2b78a43c6679d4d5

SHA256
1263c84860a4702a336c2c16cd4d96cec10b3fd85799bb314e912cc9498ce358

SHA512
ed99db0d1c0b0c461de79b8654ced451814ffa9f8308548ea83e706bf3c485824d183196f5462e5248a6753ba531b746b55cd523f53bee62205676e17a699d14

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
22193cb89be0b82169681954f7919b35

SHA1
a887a98c206b28d342d31e7e5c1e5bb33bddf1b3

SHA256
a46bd96232d783cf431f85d17d88395ba7952ea9adbbd58ff6a90fe92b96ce5e

SHA512
d2ee902eaec8aa532de84b5962338ea586c49670c71f68ca7695e1887be01f1f87a1aa78cc74d22f402eb673ff647e561ad3b8a69f209ff7354bfd6cde46a5e1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
306674959d823e36b930760aadaf9b8c

SHA1
d28fec151a4576d09077cca324f2ac2f83d3f864

SHA256
6719704245d0e3b920b1842fb3fdb7e67596b1515f160ac66451272b33bb3569

SHA512
8966e394bfd62da64614b1a6c30c946a7db2016ddfb379f64352ba9121da41a750e56e2de0e4e60444fbdec9172dd41d2f9e84b28b8458cdc050664310a38523

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d0181391b3130054a91bb97cb9e97312

SHA1
04602daeccd1b0c3b3c57e6cb1de9d32b1379bc0

SHA256
de0ffe175eaf59e09a2034fa0cebc2d82edc3632a1a9a52b6f7bd63446209471

SHA512
f8c86934490fc5e80733e3bccf002b2f0e2b899bcf21cc902d5f7cb1acc0634eb6dff1df043f025570466d4414a0a06b544e44de38ac867e8889085a58f6d0f4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
7f46d596126c2262d5e56037dd80823d

SHA1
b401f45e6d6eb3d3c974aab48723d8e3b7c8ba61

SHA256
7f369b760b49d8163080b26eb8f1c169e928baa9996c19f78087222183ed0f11

SHA512
0f7f99aac40301b9cf8808f89540ed37892646cd7d9e6022fdd431d4cdb892f58691d9e02c69ebe9254010861e12379d2f350ae21ce061283e48adebeaf7e3f6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
33e34495d0d245fe6967ae6e71ad9c33

SHA1
de027f5245af75442fdfc5fc76037e26a60e8a37

SHA256
19d3f5994fbe00b048852525311823cc19330092b667d1b3c498065255272fd5

SHA512
4e0fa8b617d139ca1af3927efbac4e5c86b256d3c8a5ef312f54557467bbec8983d713be729dd0440c944904e425e04e877e98a7285bb2a0771768a214c576cd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e7277bdf597b9282a2d1128c86269770

SHA1
380448ef7a8c9eae26108324271966ac64bc6f32

SHA256
251bd9ffcef851f997e5f0efa18890c9d07a1d380bfe4d55bb46a4db6dedcefa

SHA512
7c7f8b2b74ac93e6898ef6bdc49ccd62c713b519b06f74cf60d10a777ddd309da5280c61e56ebc33e8875c167170096a5609a0bf27704e0113b7309945aad6a5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c5b42447933fa0ba5f6dac4746178b8c

SHA1
f5412458d311da38573189be328d6b6dda04dc54

SHA256
e449b290e00f351706fe099844958d3d29ec9a3764a6eeb2f4ad0bde20e8d3e7

SHA512
0f3ad0980ce246ee9c390cffecb5e3b8009c61e6ffeb3ec6317570a1c8986a4adb6ea19ddabda67bf63392e724282b08f0eb8614d7b622749a6bf8c2406d3238

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
93d7d10e66fb4a682c9dc4d64a46558b

SHA1
c7ca178703f041481e2dbcef0b6384140406adc1

SHA256
bef24bfa3edc60f51b12c95ac4e3905150a7ca20d4eb21c9b7643b44bec5127f

SHA512
bee6d9a56821eb716c34ee3d1dd27326a6062a9977ec98ed5d29ecd0902ca26985d76dc44fd118cd9e0dc5a3d1eaf09516212e167343dc227c44b57db9768714

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
39cf21c901f87a5050c02f67b9ec33a6

SHA1
4c1414d061a85fa37e21c06c86dad308e3109af2

SHA256
35666ba2b2674aa97b824b75f267a18895cd06616f6ba7f786e0088842a67390

SHA512
553d94bc036e37d513b848aa95e5720dc99fa79c0dd8f585449e275574f1bf3cfd5d19f8384a49fee0ca2966c5692c85dfe0bc4f1f0032daa9232fe466b37073

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3e58247ed2e13a9ba09f0e2e81ebd12b

SHA1
8188e05ea962cff82f793839e4b5f0a9d470df6c

SHA256
037b47a854fd55c5bb9e5e0c66c2809751dec022d909bc03fbb918b9356003cf

SHA512
d2f2dc0d58ffda8e85c8c629f70bb1755d5d02224bbe9544d1ef907dc3482c442ec2cc7f2e3d665888e4d1ca81719cfaccf55389dd9471cb30a4e8a2688bb1e9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1cb698886b8f5dbfbb4d2ad6c3660c4b

SHA1
daba3d1176817a01e934877279b3617ea707c2fa

SHA256
5c63c5fc1a49fa84d85a5cbf1ef88ee63aeed456995004f1b27b0eb887488649

SHA512
82266a208ab42da3df975e9be0b75881e76304732078fe1c48b344cb9420cd8fa66f37c72621c7c447cbaa48c1d8bd1bc59f9f0fe90e1921ba65f1c610159735

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2375a4676ad43ad8c4d4dd568086ab8c

SHA1
368ee14668d24f01469bf45af402fdf80293cb11

SHA256
1b4ef2842e9dc18d6825a778229771294cd6ed8baf26d9a837cdc3bf64c1e1e7

SHA512
f47da9d1007a42495f49633798500a1b70c11a631c2e439dbcc5bd6a3c64ffbc3c326e29e74af55a24caa2ae5ab83d120b535bbfea903649497b417f8f7840cd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c2b2e9800c2f73e8cd6fb70fc1a0a6f2

SHA1
8e33734f7e9329838966bf902f748c6a419aafda

SHA256
6b2bffbd5d112ebcad6ac0be348aaed3d0984c1b0081f7fbc415c616a559344c

SHA512
3e2f3d4f9d5fc6eac0160f8eeeb11eba0ed89021d36bca5a5f38ed4b067d3bdb267d6568ce7ca48f7e26debd6db1f662611df77d7e7549e63d3ef90607af9e14

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4e251b2f448e84cbd4460eefd6ad9b55

SHA1
2aa7a86c59ae28a070c8e765c509d6bfebc0d18c

SHA256
aba76c3b1f591b2bc14bf0a79e8de51ac611801d52401def4fdbdf310e1bf897

SHA512
0aad995c99d85fc78699bd6ced064b6977abc341e073be9af7cf050f5456f3c2d3e61b44e33a5690bc4c096fa65b8683850c46c07fd139cc4f8345933f1e8938

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ec06e66b53a12fe23459309298f6b22f

SHA1
eb4f3b778a5e71f89569497eeed1f6904372f251

SHA256
0264ba00ac52429a1caa5698085f48bd032de4c946b143d78c1caacd06e46840

SHA512
62cf71c19ef88a5e9f172b6973c910288e2d3290f535c6a4f707f91051daa96d23c7d54cc9ac21461a1d12bc4fe49a05548f99f6107d8f77ec8025715769d0d5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2fab57d00c392b7422bdd58e9689fc6e

SHA1
2847451d2223b913d5b35661694ede45b5f6bca0

SHA256
c766391683f86445da7596b57c8e4431ece6af28760d3167d69dd9410d201956

SHA512
55430d0c2aa278556d758f625d3a404abd210b0748a00caa63b32a9c90887f5e3dd44700aae08d6e2a06cd0f4fbf8d479df0f12a67ff4d72201ed0925f53ffdc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
94748b83e8efcbc63fb71dd1685bbe6f

SHA1
27a736428e7be6a041d0dad9932b32a7647116d3

SHA256
264a9cf71bd3cd6ef5195518582d468d8a9dee323c73e3f208a054ac51e9c1ce

SHA512
303f91391cea01fa77721b72b03e61d0da366e0c76ddfd012df6087b524a784540f6d3778fc926b696844a72c784a9c7255269ddf50964a0555d139dd07618f0

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9c2b26ad1b7e6fab2cebc9112e89c82c

SHA1
fdf2871959451a9a271dcc098835d84131d90179

SHA256
ef72bb59274134d47e9abe7edc054ed5b4cdb64f607d28b249112fa8beb1ab5d

SHA512
84e1fef65df291ab45570a57ef0d674313ed1a63cc48b323260eaaba6255ac9fc891c45e934e657523f397385ea96679a9fa5acd605471e7e6c3d592cd2b36b1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
4c1e345d84ce2e04c87c871c4f435359

SHA1
9f9cf2121234b8f246f5f4e415e49ed129a29242

SHA256
ea1130f69e3e723f8bf3cf6c02693a93612fedb04aa965ce01705697b5d6ccf1

SHA512
2f4e5d5db535bc31385d115de4f7479c05e3d4cb8e2f81eb98a0f6bb16eaf7a894de3d82d4377a53d03e0bd3f3e95c045ffdc33d4190d9c0b3d5caf111cbd916

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
bff0c40247342a533ee34abc6b8de63c

SHA1
75d5f7b97b470f07db09e4ac9a6129f8da30781e

SHA256
6bc19e3394f60d415557fcbe7c6c4d52a0ebe2642f83c2ddb204b2508cf507ce

SHA512
beb10b71869a61e25315b2c7b9e6e79e4a5f77d43d196ce2578f4b3f417f883f50472b2a552b2d0be9c156b57cdebdfc30e6f7c23081c4808162600b8f4fa026

Download Submit
memory/436-224-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/752-463-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/752-24-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/752-17-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/752-11-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/836-517-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/836-25-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/976-226-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1500-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1556-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1556-71-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/1556-81-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/1556-77-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/1736-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1820-223-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2000-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2032-222-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2032-500-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2216-371-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2216-54-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2216-48-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2216-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2316-101-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/2316-214-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2800-236-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2800-603-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3508-216-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3672-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3672-212-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3672-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3672-601-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3812-225-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4316-235-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4316-602-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4348-215-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4360-69-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4360-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4392-234-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4580-0-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/4580-6-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/4580-10-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4580-30-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/5004-211-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5008-88-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5008-213-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5008-94-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5112-43-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5112-40-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5112-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5136-484-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5136-461-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5268-472-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5268-660-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5840-496-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5840-429-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6004-439-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6004-655-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download