0104b43fda1c1afe2d42abad9c7ca2a606ea86cc0a6f16d398077d0e8aecff32

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
Size

4.6MB
MD5

d67527ff4832ff59e9d22f2f0d088156
SHA1

4bcfa132912d39a4baacdc36affc9fa1d2f6f5cf
SHA256

0104b43fda1c1afe2d42abad9c7ca2a606ea86cc0a6f16d398077d0e8aecff32
SHA512

0a3704798b8b57f3bbbbac5e16769ee0f172dfbbe8a1d4fad2346769342d8e5861d36342e468f31a8a62142e0cc2d3f14388d345fd64e6ec27a48364f8623bb7
SSDEEP

49152:6ndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGr:w2D8siFIIm3Gob5iEYnlS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4992	alg.exe
2744	DiagnosticsHub.StandardCollector.Service.exe
4028	fxssvc.exe
1856	elevation_service.exe
3992	elevation_service.exe
4420	maintenanceservice.exe
3004	msdtc.exe
3704	OSE.EXE
3972	PerceptionSimulationService.exe
2032	perfhost.exe
4428	locator.exe
5132	SensorDataService.exe
5300	snmptrap.exe
5540	spectrum.exe
5796	ssh-agent.exe
5888	TieringEngineService.exe
5992	AgentService.exe
6116	vds.exe
5408	vssvc.exe
5584	wbengine.exe
5940	WmiApSrv.exe
4888	SearchIndexer.exe
5628	chrmstp.exe
6204	chrmstp.exe
6312	chrmstp.exe
6384	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5c084c5fc3a5208d.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2fb3383e5b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082102883e5b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0853d83e5b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000140f4783e5b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133623534309071791"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001372f83e5b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4684	chrome.exe
4684	chrome.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
5012	chrome.exe
5012	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3768	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
Token: SeTakeOwnershipPrivilege	1916	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
Token: SeAuditPrivilege	4028	fxssvc.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeRestorePrivilege	5888	TieringEngineService.exe
Token: SeManageVolumePrivilege	5888	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5992	AgentService.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeBackupPrivilege	5408	vssvc.exe
Token: SeRestorePrivilege	5408	vssvc.exe
Token: SeAuditPrivilege	5408	vssvc.exe
Token: SeBackupPrivilege	5584	wbengine.exe
Token: SeRestorePrivilege	5584	wbengine.exe
Token: SeSecurityPrivilege	5584	wbengine.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: 33	4888	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4888	SearchIndexer.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
6312	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 1916	3768	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe	91
PID 3768 wrote to memory of 1916	3768	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe	91
PID 3768 wrote to memory of 4684	3768	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe	92
PID 3768 wrote to memory of 4684	3768	2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe	92
PID 4684 wrote to memory of 4224	4684	chrome.exe	93
PID 4684 wrote to memory of 4224	4684	chrome.exe	93
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 4824	4684	chrome.exe	101
PID 4684 wrote to memory of 2256	4684	chrome.exe	102
PID 4684 wrote to memory of 2256	4684	chrome.exe	102
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103
PID 4684 wrote to memory of 4052	4684	chrome.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Users\Admin\AppData\Local\Temp\2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-08_d67527ff4832ff59e9d22f2f0d088156_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0900ab58,0x7ffc0900ab68,0x7ffc0900ab78
    3⤵
    PID:4224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1912,i,17925316168211420128,2071086490987659640,131072 /prefetch:2
    3⤵
    PID:4824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1912,i,17925316168211420128,2071086490987659640,131072 /prefetch:8
    3⤵
    PID:2256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2064 --field-trial-handle=1912,i,17925316168211420128,2071086490987659640,131072 /prefetch:8
    3⤵
    PID:4052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1912,i,17925316168211420128,2071086490987659640,131072 /prefetch:1
    3⤵
    PID:2104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1912,i,17925316168211420128,2071086490987659640,131072 /prefetch:1
    3⤵
    PID:3908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4292 --field-trial-handle=1912,i,17925316168211420128,2071086490987659640,131072 /prefetch:1
    3⤵
    PID:5224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1912,i,17925316168211420128,2071086490987659640,131072 /prefetch:8
    3⤵
    PID:5360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1912,i,17925316168211420128,2071086490987659640,131072 /prefetch:8
    3⤵
    PID:5580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=1912,i,17925316168211420128,2071086490987659640,131072 /prefetch:8
    3⤵
    PID:6008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1912,i,17925316168211420128,2071086490987659640,131072 /prefetch:8
    3⤵
    PID:6124
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5628
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a4,0x2a8,0x2ac,0x2a0,0x2b0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6204
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6312
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1912,i,17925316168211420128,2071086490987659640,131072 /prefetch:8
    3⤵
    PID:6716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2564 --field-trial-handle=1912,i,17925316168211420128,2071086490987659640,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5012

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4992

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4000

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1856

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3992

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3004

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3704

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3972

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5132

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5300

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5740

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5796

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5888

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5992

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3852,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
1⤵
PID:5456

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5584

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5940

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4888
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5392
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
383f65fe636fea294147e2ae7d0bbf7b

SHA1
bb0ddeb8948b5ccbfb5d16dc46207958471a9543

SHA256
2044790b2d915912f23b7611e96325e86980d5db5349c4cb20ac412e50e44e60

SHA512
4791b8a237156ef76b141b5e42769550bab5612842b511b9ec4e728b3f7a86c087b85eda8e574b6c529621f9e729c318612deb604a06e676ddd275007e3887f6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
cbca4cf8f0094316d5a3841a8f4a3def

SHA1
f3a1c6f064144bd64d460dfaf23eda11fceebfe7

SHA256
d7f43b6731c310425e76188d4698c306bd82e1588eeb8230ed7ec6478e76aef0

SHA512
ab389dffa10e12251c6a3e598a7d57dc56ce1491eed4ec526cd83dc85e38c73686b62331b54f55082521aa72848047caeb8219ffa3b64ea9d3722b466b2d2ff9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
ce82d32f258073b19761f9464471f846

SHA1
5cc4811be184cfc2b163fbd2b7d0c5a8c59b3ec5

SHA256
ba8dd30271775959afb67b2187055ac8a1c30ae0d6ff73ddb4407e67696fd0bd

SHA512
b3184e4996803c2f3bbcd0ddb168910a46f3d6120252a60ae347c06a91d317da4e6da8c2eb9e45f593dbd614bc61222b2601e7302b034c448a0f0976c97bccc3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
88bb1f7db0c7e7d308991236f2ad78a7

SHA1
8b512ad3c17db91b043fcea76d681cf4e1a59059

SHA256
dca67489a738b6ec119bf83ccd4d41ca6ce4836d4c902e0397ab10a9b8adda72

SHA512
6929b28f92108da060db2b4a47c9ab030e31f0bdf846c06c4a03111e9f6b695917c77a4e40a25a20afb4e31b8fef2e704c5e408c67f6de4ed144f0451354af7f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b2d3ecd3e051e2fce557e0e4fdfdd2c3

SHA1
ac552f67bad174351807cd2f02734e478a0e794c

SHA256
f0a0febbe042348fca852e0ed484e32aa7e5c02c64b741b365213e853d6c938d

SHA512
eb486c7714393606f1eee0035b69e70f3cc1ec360ed1f835e4e418f15326ba7ca3ef1f6fca19869ac7a600f6bcb820b525d20859de71d21bd3e47eb07e36733f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
3479e9cd4d701408ae1483716e2bc42d

SHA1
d97a19c62a59e7619d615d70e24f5cbc4eff78be

SHA256
d790ca1e1232f7d723d46cb6cb97eaaef15ec8c45c96e4ea850af23053d81c90

SHA512
150fc2c4c65306e0ef79a6653203ea2369f0dc3c0d8a77dc918ee3e28b9b8553d2cd7bf68768c4b641d90f8dd57ca51cea7044c1801345d9e8db967dce840c86

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
192KB

MD5
c909ebdd7c0bcb69d264ab17afcbe443

SHA1
edfae4aa5738584651a4046b25a3a36c6fbf4eed

SHA256
5fc59f47e4a5f781738a88f00882426638852b8b3fd73676e5ccd321ffc24c3c

SHA512
61ad41e0eb925b81d14aaa2b0b87b65365bcf3abf0a109453175dae2930c3f1299a34f67c8e0d9a6899f102c22c224288f6ef3b4ceac2e5e86e9d717973870ed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
192KB

MD5
e86c0651870a33a52ba212941bfc653d

SHA1
f8ab3de97852377ebbb30e871fc0254bd2d9979b

SHA256
6459c0d03e8079f93cb0bdf8f07355a0d268e7c12ff323bc16fd11f232fbbe49

SHA512
2fd87b09901b1f9ba1b267fc3fd985c937b5f958cc0e56fe28b0dd066faff1c7d1325f1379bb78882d561bfc402882e5826488a92d594d08a30691ec623c856e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
afe3dc1d92e88e11fa8d3708aa000190

SHA1
1b2ae2a93059696b904d02766ab6c6c4188729c5

SHA256
d77523619f89b5641a25ab99e4d514427b1e353d2386877b3362658b3ac5f178

SHA512
1be0f22feca5bf4c44dac7ff80e46e20caf865f18dac68f8e3679bcde30a4a5fa684596c40b5ab5f713f7733b45167001cbf70018b9fc1c989933acdf95fb8d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
2.1MB

MD5
ee7b0dee92c06b02da6eca26e4a0b140

SHA1
38c475dca1ff95d99fae29534cca60a6fc8c5d4a

SHA256
6379a0a989c2ed17013b55fe72b1b3321c2aa0942bd12be03120cdfe362ef03e

SHA512
c28ecb6b6fb4406c78e928429dc69dfa637eba24abc7bcfde701657e13c9dd8d625f5eea93e1c96ecca529dfb4a99c18d76c70ce6481e475e041adbc525904a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.1MB

MD5
e69337e44e4db71b636ef6943dba13a6

SHA1
adb1bbb058ce3d68a5a07b92f824e5d80582dfe8

SHA256
e0abd671440c42c1d03596eda2bae4c9b411b0823ca79b4ec0ed9e7c05b77f6f

SHA512
d031be2d9b3d04a5bd6dcacb950e95885c1ddef085daaff5b4e3fe3977e3e22ba364049770405d424cd681920e05614f3fd4ab1924d51a0ea664a7947ed7b130

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
396a8eb0ce9831246fade220f967d6b3

SHA1
b43f0c381219717b6f4345047958fdf605681fe4

SHA256
a4b389f424c425bef0b6765b77297c87b2c74fd34ce60ef16050e506dc3fd80b

SHA512
48204ad427a2d199dc69b8ac72ca78181d9e5901c3e78fd329531c0586eb15cb4c9c7a32f077ccb162402a0d7455c214bc645e379222f612451df443c66cf306

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
51c2fe27841be36c34ca0cb42e8cff3e

SHA1
eadeb39bd9aaa3108f57cf728889545f9468f40a

SHA256
4cb313cd41c628544afce50b3c5d5f022c4a1ce654c06bb073d1d5dec65ce093

SHA512
b39c63f22df7c0b5274598a1d71df5a5bcd23177d89d27c3300ee76b685d40031686fd9ec36c2c6fec4c569117adfc4d3f0036997e13589da264626acb41bf9d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
7211f0c111d85ef3a2e26c1af3529d7a

SHA1
b23c96358068c161a79a4ef03e555fa473141454

SHA256
b7efa0849441b6d143cadac70b0199c713230a3f47c8cd216e194e0967e2854b

SHA512
e8dab4557be997a31651a4584c4d5001d5d91d002d79a72f6fefb3c273a699f8724290439667fc1f2377547d80f11d11bde808d1913325a098b7e17167d3b4db

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a48f9c3a78264d976ca893795a9e981a

SHA1
a0b9d5aeda374b5e391b118364f6ea745e44b390

SHA256
7af7d34d285c766bc31a23148dd80da8e3113d51d5710a7ac0454b025310ae61

SHA512
7f487d4a9e34c7d4c1d9b185531b3dc59ed989139ab976b24b3342ca991ea764a0e89a106388f7590d98ebe5a78921b9441dfa44106e1ef04b30bb0046c3eca9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a4a93f1db13477ceec23b82ca808f64d

SHA1
7e135bca9220449a0b8c8d393855fe7501850645

SHA256
bb6ae4a734b8600f8efbfaef0a8cdf9ab65e2d59eda6e07520f54b234ded5e9e

SHA512
33d407932d6382888911da0c7b76c1f8e469ee6c6fbfda291aabb73ea939b612369eb9159f5aff1c3fe35a2f50c908825e5145bde911c52fa856304e972fbb5c

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\4562b39c-ddc1-4b59-b90b-ad3f7b6c380e.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
33979d1201477e50d620a4541a37d5b2

SHA1
48880860396e69f6833959a37eb61ff25deec587

SHA256
c61fec9a0b962797ecc9ae50d2f83dd661315ffbee0bb80b5aac5c825803f877

SHA512
7b84d46617819501c54a0347922e7cf97395010e0dc8a6d0788070845f39985baf37cb9d2875c69b4761a64c2da6e1e502a6a9aeef992a62bc47c144462c0127

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
d1d6042862c3c7b9b909f96187ac2e79

SHA1
05e6b8ed1e214b85e39b82200728623f194539b5

SHA256
88e19554b2c79dd2ca2ee066ca38fbf31b3c6d26ea949ed7aedab53d85582c68

SHA512
a3c5cba87678601998786b47f55ba8b983d564472fc836fbd6d4a35960f1b9c221fb45f19f5c32ba92eb745b640cfac6db2144baf38a7e67950f1e0be46c500a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
e646991f9b7863013f4543e5deea2d49

SHA1
7d3ab1c249b15c5bc5761baef819fa96b043539a

SHA256
0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07

SHA512
8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a1fc9af22ce317b156b07d75385345b4

SHA1
7cffaa628382de10b25524a7242a26019e74ff80

SHA256
bd417b76f65141aafb301d55363c77212d035035e2e844202bfb45a3a63401f7

SHA512
c58789ad426837ef6cb62575289ea8c5fb74727617726853464ec99e68fbed58b1debcc1e9ba8049e4d677399399ae2e639c0d8a36ae1184390b455798ecaf4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
39ca4d53e5383c478e28be85adcc6c62

SHA1
c61ea7a06abef573ff7aea3828b5ece2ad28b94f

SHA256
aa0e87e0ab5469e52f8468f643b0e5357287e53ff511fa7b179fb905e3d3bb06

SHA512
7a29ee1d41e6050c3e7266ef4f2d2d1f73f72a0868731a205e056c213f2287c232c7b5fea070420c64b91f6b561a0c9c9cdf423ab0286bb7190e6c8ee15d47a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
06c188e25be75b93586126dcce40f526

SHA1
6d3f50a0a5d9b4970b7bc7516451b33365b398c9

SHA256
e6b6796624cb8bdcc8fa95292f96a9743c4b1d2121db95359dae1633eeab8eed

SHA512
39f5aaf3f00b9c70b6937364ac06db94bf91190cfabed25a9c9fbb761286df72bba5d2163bd7b84727d0e2d621761b3c3b208ecaa4ea5b631a17af55144cd212

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe581604.TMP

Filesize
2KB

MD5
c4d12c24a85b7e1aaf85cad983fe7610

SHA1
00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb

SHA256
6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337

SHA512
0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
fe3ad235814a26825e67aa5c491d2e11

SHA1
002b51548c8025d26f66a51beedf98359006577d

SHA256
771a81baf91505f829afe2735fc7f4dfa15e47d97a24796eb1cf575dca288ac3

SHA512
0423281293b7482374d078dd745458c019cc98010c4a3c89d19a6558fe57ae859e4ccbea2fddc4c6d0dcf0e4647a6a018d64165644553a3cc22afe04484dadc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
d77ad429d2eca971475d0701df9390d1

SHA1
479f256f50c97d04a326d07cad176d6d13658253

SHA256
825449486d58606cf476decc8bdad435f7d413181be22f662068a678733a5aee

SHA512
b4ef179fd258b5ea1e9d59da3f35e883a33f482c347455b586b39a4f0d5273963c0948b678eb348d156832add022bafa4cd9f88c259cfc3bfb226889b3ae9115

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
db5a36c8dfcf36aab1ac79817b4c69d4

SHA1
64bdccc06a5cd104b115d0e899ac5d6f9b312186

SHA256
5c04f15568bd84a8c2d47c0692f6be2f2a61ee55f824740ad2ef1488360faa9a

SHA512
dbfe5e206a2ff2f0465ef214fe8ac8f74462e7d543136397bf1cff139f132f56c9582f4c8c558456a8be39c1d25aac394c691fb35dfa98495a0b62417649cda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
d0c44123473b1cdb375c0a27cc32f271

SHA1
7de6a89d437328585e42104383e53a6305216df1

SHA256
fd72e29feaedb7c5133bb65ee62c690b3723426be6f829f9ea014fca3db2dc65

SHA512
8e9a9c2fdbfd7cd24ca3e269c78e564e19122fd31adea40d69cdf0e7be9b34c96d9d9aef845387f1f0fbd8e321f81c798b9c89398a84f967f957d8dc8a027964

Download Submit
C:\Users\Admin\AppData\Roaming\5c084c5fc3a5208d.bin

Filesize
12KB

MD5
f11a47456d8036dd1d5fc140b567f861

SHA1
02c941e6d9b3d46601e5a97b157cdd498c6d85fe

SHA256
bd1ca370dfed779bcb9162171baf2af3f39e92e2ef0cf59d30fb8711ff8a0e93

SHA512
32b56562b907e9cf800169f92ddf2ad0756c291c3a8cf64942c65ffe3c6d8a13f5dbd63a71f38bd0c2d72b359c23b2c7c3d2a810fa3c2f0c32567b9e33e399b0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
725876f94be5508ffae35f9733f921a9

SHA1
5a95fd9d7d737d5c673e1f78479bbecbf5450aab

SHA256
3243ab38473021ae53ffb87e7bfe8f7d93eb02c9e83958d05c9fa4a65bc8a332

SHA512
79252bfd528a5a191f59f7fe727f026f28e511c1ed7adf8a8680922ae5b3adb01b9ee3b6fbe16655712a0666eed8e711c407cf175cc475de9f0ab5995252596e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e7e9b44d8dbb5266ab97d0b5beaa75cc

SHA1
42a17c3075fe2ccf3d8fb9e109869eb8bda89a48

SHA256
06259728cf6de947575039403da038bdac68a5268c2896e7e49b1062303a33f4

SHA512
d023c4d9a47853cdcc2d9361b1a3164925de98db8f23b4570460a700430ce06c496bcf06a0037a282575627599ddd71ad41066c705bc35823b46de5d00faaad6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
e5c21e1fd85238fd788997f9d9300dd2

SHA1
aed425634611c9d81e0f86f9059d4b1be4d30927

SHA256
290eee689faf8262b25cda5cb7980dbfadd128991a793a50b486adf57c95310a

SHA512
61b239fb549ec5f4f6d960c2608ca1dd511865d964c33dc8868228d5e2d4366d59639d034c1cfb1e4f3e1743ff100cb480ffba0eac714b3b64ee6ac516625f32

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a6bcc958aff3a75c8c28580eb668b5f1

SHA1
c581711e91ecb95a33c0458e6d572cd515ae75ec

SHA256
401afb9e95f5aa285d75d93e3be6c0307bddf105aa6854457efa6978010b72bc

SHA512
3695d5f43ccc2902f8d411a62fb5717ca62ab8a1708066c99a1756929ac5a54470e961ec2bd97a6579ee716dc9002a3965532ef1b51fc0ff3c0735d8d1d78eed

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
16fa3b166f806ae514b711607e5e4a82

SHA1
d1eb3a19f4722b8b73f789acba1659e1adb79b3d

SHA256
1c9484fc6271176e90dad500b16eb6c87e81df88c159f423e47857e99e339ef1

SHA512
83c230e61a0aed5657d756fac1dcdfc9b601676dad38c01c06bb2c08215de2bc048df021ca29e2ddbec550d8746c4bcfd7483fabbae96e9663c147e0f1cec462

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
35a2870af98e7d835c0883690a04fe1a

SHA1
25606b001ec00b720b33d48f6b853742913bcd77

SHA256
b91a1306daea632c47a1fc61a5677c966340ba6f124bd77f3fdf764545c6dff8

SHA512
fe37b50a01db2af14bcddd0106548b395d875634350cc7498ed5d1c7d575d200076f62cc7457c1a4df1219e0f324fb7a0008769fe87f996263f614bdbd5b57b0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
ab4cee3d42158d7e559c33a7411befe7

SHA1
51e8797b1950fec826b7c78465926163278b7bd6

SHA256
a840d37f473589ac0d9c0c341c1f0551968460e859ec8075e06be86d689d3761

SHA512
f38dcd2ed27d907f6be11d5d53584190bf4306a706da58f60ddac00323dc7a3f4fc77f6d0e89a6ccc472f3ca9b308b10541c0ec51a91a08e2a9930e63dfad792

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
851f83ba0ce1d7350c938d1eecf5be7b

SHA1
39fde274c8d99ee1bb675a5dd0be6e17dbb8f599

SHA256
6c5cfaded47908b5d48c00353f3606a8486303e3db95d93ff52f6cf1809ac945

SHA512
a171df76fbdaa389d79b78d7ea76ee135066f3d5c3dae3608b87d9d68d4493565d6c602a55961735c57dc7d3c393d9f183bd86c4c3f55096887b345b17ebcd28

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b8ecc60936574f4ab5c54ad86e2d1779

SHA1
08682b31891c55f1ba1218999443b0a51c46e398

SHA256
8b0d08f1aca6047c231e5d1976f4d4d1a0895f9caba5cde12dbe1734effbb170

SHA512
b10ed2fcb84f2d1a3031882285e9ba8a8322cd2906c95409895a2028ccc22dc8f36ff149a58c3e7a9ef9feba46833f1842ff3b6c11176c44be0db6640e76a2ce

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
df7ad12672e57fac1349492cadfaaa18

SHA1
200627bf81026efa9ff53e2afe6ff1f13774ae58

SHA256
7a29187c64fd3a071adac5533db876279e70d2adefaa58c229593f6db07c6759

SHA512
5f462ff8fe94f7ddcf47cd4a9423ba4ee55cbe544752b67743b2a987a3546ba7061397279701849a143a0c435044c20f2108d537361f2843fb7a8f955c01eb5c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
82ec23a87e594520c7b2cad9792b16bc

SHA1
4249b5d47a19631590918be079373852bc50c040

SHA256
f022bf065096b6061bc3cbb3960db1372a8718a9792debe1e72a0a9e9bd8b340

SHA512
67e347ea60ca28997e69961980ab9043f7ebaf15676eae695515f4ebef3a743d46d5b5063154bd7dbc2a14d7aefaa5cf467303b9066f098dd121b94f4d8e0c0c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
da9f443af292d7d42a5a8e4212ee1cf1

SHA1
7674645f4e570fc1b0a09ae37b6dadb3ce997d32

SHA256
8eb441d77472f7fe94fe4aac806d4d0ded15843c6e2ad5267dd169569382cb80

SHA512
8710ca6c27a29a25e6edd2842d83ea985f709351eb9b259e2722815b22c19917182b949d88a8099b4d7b51e068a03496abda6a550699d0f9b1e56548e4bd12e9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
1e07b98853044d6df5862a97a884df66

SHA1
87fa23a75e06176bdc9a8b579d812a6e2984cff7

SHA256
30817054762df561db52d62f0a6708d10de4b3940f3f11f6856306c1b35e39e7

SHA512
40b6f67c8a822a48537712487adeebcad010965e7cb6d3afbdba0440b78a338e0ef7c8e5813144bdb8d119209a1eb634e1c282c1397bf54a2a871f14091bfe6f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d53f99e1973ec811599f73bc8d719d93

SHA1
8ff24ca2c7d2f2d06a75b17e30916d5f236fb198

SHA256
acb3108fab07327fc13755c985baae54c04cdd5770b477b4a2626444664b3981

SHA512
8f82ff6552b3f3c56493afcc52758493721ae7b15a101276888b22990cf322deb6358a45d2cf6c3c3038ab5babfc0b839fffa482c1adab91a2c24a2542273ce8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f8df4eb2ff6a60a907571167a9cee80f

SHA1
d58e02c0b64ed4e8d9c2f2e1c2f797148fa48ad3

SHA256
bee3921ea3b92ddd2b6e566384754b6de95b1b27a10f2bef17fafac1b43600be

SHA512
f668473caa96b9748082b14ad074bdfc36f00f1b60a089c22b8fa9fe382dbecde8d972422083cbe26bd1d55c8f0bb750d818696f3cd9dbf7363a484480d23d94

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c8a34d6e21a268683d2bac8fd5907d2a

SHA1
6b1739918053fdb49584c6c719675cc3831eafcd

SHA256
c632edb4e3e443c0dc7087f128cb3564b78212783346df020c65c2ae09b5504c

SHA512
ba484ef77417d1fc87e1851cd3d96839a9d7f5f848097f06d609ccbce17a6fbe9bf6120fda0b46a7dc9e8ea603a1699f9bc4406fdbb6ef2b628a41b7f4874d91

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
6474f3c88355a3da998f395663807032

SHA1
d351bf088764dcc72f7a6c1b8facabbb0a7fb12a

SHA256
e5677cdfce75b197b736d539ed27f280c0d93d5b898b294e815af4dfe3b2666f

SHA512
ae91da08e21702067f392d39cce7448c6ef201192eea22596a6bda2ceba95d98e15ce79b917861d13b2e0b622ba5093385514d9e0c079bf637f3200a9e2cb4aa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3f90e4df09cedab6f82741258a2a5938

SHA1
0c8dd83fa95445787fb7d852437dbdb6be79400d

SHA256
0f1acaab7c86b80199e5b3c8e4f55532eb0980f04f833b4237829a717c9b9b74

SHA512
062dbaf105bd56c52481976f428b9fc95d51efa37da2fa3bd02239a71b886e49746af282528cddfd723f56d649f66be96d5326c0c2985dff7f1ff67c57cbcc85

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
de12892063f81f60b11c0497ec332fa7

SHA1
ccfa0530f55d277c3fe6d75260088ae08d5b7616

SHA256
afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae

SHA512
441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
448KB

MD5
2f4df595676fe3f2bfb5242326de491f

SHA1
173ec4d0ebde0e6ee75d55e8ae6b5ed045c4dea2

SHA256
092831f090f6080298fafa5589ee44e815cf920f1a3ce1ffa86730f6adc0ad70

SHA512
e0457779c51e063ae0ac75d058558d7f331c0dc0b6e73385d5838d34a1c5b8f1dd792339ccb52d97dd0aa36b03a9613fb2c5381a0e7d56d4229c50e4c2adbede

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
512KB

MD5
0174fff8f6c1fee155aa98f0a7ee6894

SHA1
e3be8432843319ed0dacd5f1a01ae61b474be1cb

SHA256
e5b92c788163a6c044a0d36916229464264a6d113fadff34d0f455987dcc32bb

SHA512
dc6aad7e13602faafcbfd3b54f33fa87a3154cdcadf09a9dca5a46caaba962cb3b20f22b7571f19c8769ec88a7559f0493a87c872097817c9fa2c6fa9765acb1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
512KB

MD5
e0995efd4c74d0956ff6601ab9c67cbd

SHA1
db9a5d9391d0a4c60b4559a8ac27e806aaa56d26

SHA256
5323a8f933ab7022d0a0f91550749200426725177161d3098eb0359c383d8544

SHA512
12b956df39ef4fe93fba3f8bffa26fa1411395e07577f603a82a4c079389d77c1e00b71aa30de75cab2fabec5f95fe4349cb6e4bb8ccdbf606de7cdf69252a83

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
448KB

MD5
20e3a5115a4bdf1ca67fdd6bcf50b1f0

SHA1
f48913e5a78952856079bd738f7d1d25be834366

SHA256
d4204686fb024de2fd227bfce29569d2adf931eb56b66bf52da5b144dde791f5

SHA512
5011ddf4a22ecb3b2a7f28524d3408c19c8594b40369f9cee634a4bb9423c2782c4d506ce5b505a4e4b4b17c7aa17ff154b2b7dddcf9b34600102003b91eeaea

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
8705f331fca6d7d89277b26ef05e61cf

SHA1
05832654da95bf37d612b5ac93e0cb206204337b

SHA256
382d33c979e1d053255664ce596f9d683f6e9da4e2b9c684c5a7a54462cc73d1

SHA512
dd359e6bdf7b1a5875abf19bab70815b7b3d3bb37ed359d3c37ff338d5c5e7575a636e17a6694af41482542a1a2897689dcd7f6c8cfa82379771e10492d983e9

Download Submit
memory/1856-68-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1856-67-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1856-147-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1856-74-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1916-18-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1916-12-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1916-192-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1916-21-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2032-170-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2744-51-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2744-45-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2744-53-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3004-130-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3704-144-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3704-300-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3768-0-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/3768-9-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/3768-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3768-25-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3972-169-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3992-118-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3992-82-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3992-253-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3992-88-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4028-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4028-56-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4028-78-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4028-62-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4028-112-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4420-104-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4420-92-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4428-182-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4888-781-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4888-328-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4992-204-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4992-39-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4992-40-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4992-29-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5132-632-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5132-193-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5132-327-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5300-492-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/5300-213-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/5408-772-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5408-301-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5540-516-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5540-225-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5584-777-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5584-310-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5628-603-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5628-513-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5796-523-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5796-239-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5888-250-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5888-545-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5940-315-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/5940-778-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/5992-264-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5992-268-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6116-278-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6116-766-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6204-517-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6204-782-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6312-533-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6312-592-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6384-548-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6384-783-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download