15d5474b024c3a99cfd6590e729ce662234f7f118fec7c24f06c6c67e071669c

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
Size

4.6MB
MD5

87a29e8094fa0f39a8b3c5db6266e4cf
SHA1

208147a360fca5e793970b555ee34a2194904e85
SHA256

15d5474b024c3a99cfd6590e729ce662234f7f118fec7c24f06c6c67e071669c
SHA512

14d9144294d5d6e45f23705ffb769dc964fa0b0c95356281b64b4d8405d3dd9ca1fa3537560c7e71de8fe3eb4c9312572f9841d13f2dc72d039e12d62fff4c8b
SSDEEP

49152:rndPjazwYcCOlBWD9rqG0i0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGD:T2D8BiFIIm3Gob5iEjJ+3Mx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3496	alg.exe
4664	DiagnosticsHub.StandardCollector.Service.exe
4104	fxssvc.exe
4708	elevation_service.exe
4544	elevation_service.exe
5004	maintenanceservice.exe
2936	msdtc.exe
4056	OSE.EXE
4656	PerceptionSimulationService.exe
4652	perfhost.exe
4956	locator.exe
3164	SensorDataService.exe
4580	snmptrap.exe
3008	spectrum.exe
2404	ssh-agent.exe
4420	TieringEngineService.exe
1892	AgentService.exe
4788	vds.exe
1888	vssvc.exe
4960	wbengine.exe
5236	WmiApSrv.exe
5384	SearchIndexer.exe
5672	chrmstp.exe
5708	chrmstp.exe
5280	chrmstp.exe
6008	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8a2478b38beeeac9.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a519008e8b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f214309e8b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133623545135199170"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007601a108e8b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd579b09e8b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001aad0e09e8b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
3636	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
5784	chrome.exe
5784	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4740	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
Token: SeAuditPrivilege	4104	fxssvc.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeRestorePrivilege	4420	TieringEngineService.exe
Token: SeManageVolumePrivilege	4420	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1892	AgentService.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeBackupPrivilege	1888	vssvc.exe
Token: SeRestorePrivilege	1888	vssvc.exe
Token: SeAuditPrivilege	1888	vssvc.exe
Token: SeBackupPrivilege	4960	wbengine.exe
Token: SeRestorePrivilege	4960	wbengine.exe
Token: SeSecurityPrivilege	4960	wbengine.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: 33	5384	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5384	SearchIndexer.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
5280	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 3636	4740	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe	83
PID 4740 wrote to memory of 3636	4740	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe	83
PID 4740 wrote to memory of 2868	4740	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe	84
PID 4740 wrote to memory of 2868	4740	2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe	84
PID 2868 wrote to memory of 3608	2868	chrome.exe	85
PID 2868 wrote to memory of 3608	2868	chrome.exe	85
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 2496	2868	chrome.exe	93
PID 2868 wrote to memory of 1140	2868	chrome.exe	95
PID 2868 wrote to memory of 1140	2868	chrome.exe	95
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96
PID 2868 wrote to memory of 1508	2868	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\Temp\2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-08_87a29e8094fa0f39a8b3c5db6266e4cf_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2dc,0x2ec,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1e7eab58,0x7ffa1e7eab68,0x7ffa1e7eab78
    3⤵
    PID:3608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1924,i,17732992128798434201,4555604282074453280,131072 /prefetch:2
    3⤵
    PID:2496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1924,i,17732992128798434201,4555604282074453280,131072 /prefetch:8
    3⤵
    PID:1140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1924,i,17732992128798434201,4555604282074453280,131072 /prefetch:8
    3⤵
    PID:1508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1924,i,17732992128798434201,4555604282074453280,131072 /prefetch:1
    3⤵
    PID:3504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1924,i,17732992128798434201,4555604282074453280,131072 /prefetch:1
    3⤵
    PID:3032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4184 --field-trial-handle=1924,i,17732992128798434201,4555604282074453280,131072 /prefetch:1
    3⤵
    PID:3384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4332 --field-trial-handle=1924,i,17732992128798434201,4555604282074453280,131072 /prefetch:8
    3⤵
    PID:3452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1924,i,17732992128798434201,4555604282074453280,131072 /prefetch:8
    3⤵
    PID:932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1924,i,17732992128798434201,4555604282074453280,131072 /prefetch:8
    3⤵
    PID:5856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4092 --field-trial-handle=1924,i,17732992128798434201,4555604282074453280,131072 /prefetch:8
    3⤵
    PID:3020
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5672
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5708
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5280
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1924,i,17732992128798434201,4555604282074453280,131072 /prefetch:8
    3⤵
    PID:2344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 --field-trial-handle=1924,i,17732992128798434201,4555604282074453280,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5784

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3496

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3644

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4544

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5004

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2936

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4056

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4656

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3164

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3008

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2652

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5236

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5384
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2776
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
60908f873007c79114ba9c0a04c4c0ec

SHA1
ee7eb45908a57d0c16507822bb9feb60ec674033

SHA256
766ca262eb57963c3cafffc8f94a10a37b7da5df329c343cf32b9623ce772831

SHA512
264bc72e8daaf3c32aa53b797fa74155ac194f5827f2a8811425c0709d2c7430ccc4c6162a91161bf6b43265079f1e8141b47e38b601d0ae6120ce39bedde7d6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
0c9ad9f25383c5ef3840bd92dedc475c

SHA1
931a8d3b40b10779aea354932a09f1e68ee3947d

SHA256
9a156fa21af46945d9b58497756fc09e4999c5bc98a2f3854894e30a4157e5cb

SHA512
8b7bad9f17cab91ceb6319a496c897a927a361a63a43f657d247525867d6c72d6b06c33bf65faa5f7804c187c20b1702a49a5f231241979088310a28c1a3f4c2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
0027a448842f03cbc5b1066db516f8e4

SHA1
506e910208c2d0168b03ebe095c4339e8f1e6034

SHA256
667c68b36151b0ff898b82ddc583a7682934c9381823132c7b23d8ddd9f0d83d

SHA512
62b0e16a7b37a807dc2592f5436a16549d7a8a525c8ec754d4d110321207432ea1968b7c6f0ef9f7e04889664e691c07aa9da38d22dcc341af3364d3cf2c7bc0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
76322646248cd8c414aa742fb9a866f7

SHA1
0bc59fd74a29cc3c71e6c517b220b9689d897cb2

SHA256
631634c838b4f94aa2174bacfc8e4b60c180eaffb22f55f4d1def6c215b359e6

SHA512
04e5ceb369a20185fe05a7ef0199f85b23fa6c80b5112ef87e602350b7e9c38d8ff3d26f6f26f05df9fe52a0a2eebc9c5b6040f89744fb86e179aacd4adcbb37

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f03d004b43965a519ff22681fccabfea

SHA1
84b393b8d5389acec002a6802f36efde4d4f52a0

SHA256
61b2b955614bf3356a7b3f9af3eebceab22316003300b07aee290e47fbb1e2b3

SHA512
e5c0988aa3ce118aeb6a77d5b2b7ddca2f8f787c01cb0e098c9150594e22f67a3d291b5c292d1ecd96226c7a23ef8033dc739d27eb2840956c2c86038bc0c75e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
136b06299035e275316d216206ad389a

SHA1
949515c0b53b62dd7da0e18078dcdcdd4e2fcfab

SHA256
14adb2c4298c6a58d154ea1a7bb4dc18d735063a94803161888bce6e86eac379

SHA512
8669a621e3bc9f6435da499cbcd3a7c1570bd93452159492bb354e314fee2b7a70a6f292f7115caaf7d4da5ffe375e9fbc8f71b7fba64150963da1a2c1ed4d32

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
2f3f6899917cfc8610d122f656997ee7

SHA1
6322889bfc94db704a60c186475dbcaf07f65d60

SHA256
5ecf54fad8d6c06faa55034b602c1b6c39aae22825c8d7910a75a76bb26bbea5

SHA512
c2b60690404fe8cc8f1bb967370af5731b990b186d4e87d27bc2ca640bda08cfad8451670818015114a0ed7308c2e913c919ab6a1bf93a529b01eefbca0f5258

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
736aeb1101338eaaf3c3430b835e87b2

SHA1
0d7aeeb5bb47886940d360cd4e425913fc26c8ad

SHA256
93724ac50a6eb2032e3483cba32351cc9eb3409bd4b57b67eba9b04810d1f721

SHA512
d4eeafc9ac6044ab0888c98423edf63d8dbc33bf21a8dff7448ef283dc7b034af035f5a1d7e90a56bc7d289e1181a256f94c6f6cc4bbf70c4656b61201f49596

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
4de14818c0a591066e8457da45a7d886

SHA1
52f30ddb6ef9c8cf2658282f7c063c4942b7ab14

SHA256
1e5f233798a9c90eae02f032f36e48373a8facbab06ecf8394277982123fd8f0

SHA512
5ca4d51400066ca52892320e43d8a80b354bd428399d08cc086d37fbea4888c7654b61734c3a6cf3030c5b5016836fef41a2ac19b89fdca474b063ee94972223

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
59525472aa08eb7524938ff5735693cb

SHA1
e48782b2eadcd6b16bc059ce95382c9f3bfcd53b

SHA256
0ef554a608c0488e73138f84ef8d91a8d4dd95bb210a31c6a2644be3ed7a6bbf

SHA512
f62d65bab26fe9e46b837e908989485ca9a020f91b27eeb5933a4d39ed69ec0a4aafb8f0f729fe17a5cdba6091653a5a7bbcc48127b3a6a341619eff94e0a295

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
804abe8d37091523da26997b96806e58

SHA1
43fed9f329c2fe9d033cf05b7dbfe66fd23c746b

SHA256
bf9480fe3dde617ca4c5aa76eb9d8ed9c4d090e4dde9171c4f83a9920d7d4c23

SHA512
642e8f4d92d2fd9c46a71761b3e0a24cbe420f738b19d4edc14bb70e9fb6276452798a6d0fc9ee178b7f5d4feb48996e19daa95c962256f8ca32fa4f1b5ba56d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
897f01a7aa46c4a0e33d13c505e99a6e

SHA1
a28e959f42f43676fa49713703eade714f09ff43

SHA256
73290d68835dcb9ca87a1439c525cbb7a88ff6aa693f039e34cf66d3ed415c28

SHA512
1d21f15206802a38699e2d48cc276d0217ebb89c8992996f549bfaec089d79a545208cdf449c7eda7c0acc111b6eb53db5adb779ef6a91ac4627288f605c0dbd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
7b6b19ac4f6555d82da1c10b79d3bad1

SHA1
d41f649311da8a6c37960150f83c924ea09a7b6a

SHA256
6e8b5b3d8c9483885931337b9e7ff129bd4aab5e1b5f3f4bbac61d05f6890b4c

SHA512
8a3a980c4b1fb8ab073d71c15ec71f3852dffb624322d2edbc0f4c3dfebf91b802208e4a1873990d62346122c395c7c0db0b30efa241bd62fbbd3ba38d396e54

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
64efe06f3fdd1cbc3c6f18d57bb23c28

SHA1
1a2e1e9c71bfd7cec054eeafb36de828711bd950

SHA256
1a633e35f856285818bb42c430a622043abbbbc816f57feafd09797bc98016cb

SHA512
1c52b94ad61465b702377990fed4ee6c9fa066333025ae721b5dab618623f18b8e891a2605a7bcf83690db9d35eefbc97161f3c716a8ef853e15953386715a9c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
48886663eacecf057176a5ce47be7890

SHA1
d610673d748e0cda0a0f19cd3eaf004b60234d00

SHA256
bbff3af28652fb5b73aad2aba8bddae4dec1e2182b87ab2a87a06fadac328e74

SHA512
4d177d42227f3f92301dc23dca6bb833ce32a7eb72124ebc53517a3be50a45df6f2545bff436df42585f21e9e788ebdb82b7e7acc16c47928b26070b294357bf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
80cd38e1f20f4c2cb6265d031e4a1129

SHA1
076d5ff97fe83289dc00c1d390c746e807ad6ed9

SHA256
70d8b94febbf3e166325d5fadeaa1821b0c76dd7cf23b28d0d482bab6e137135

SHA512
8abee2c05fe4214d6ededa3c5a356243f43f9a6d6395e80f893f9c234aa46320e9aaf6429c1c2d914f262987b37b077cd42ed2afd6a65c8fff3965ee3e0e2c7c

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240608210834.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
51a6c4918f50ed98f5167a076074d306

SHA1
29b976522d6ede3798e75b2d12bc503ca31519d1

SHA256
031bb6e8b1fe59cbcac0f80be3852976b0dfdcc937604806ef623701d6140aaf

SHA512
372206d0c3b1586f14e369aee9562982f97f184b4cd02fe4fde299dc6153a726fd469270b5b63c45608666a6909d2ccd56cce4d098f205a147faddfbd788f8d7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
5ed581795a71782a295119ea332cc75d

SHA1
f04b320986cc54e72625adf31b9f62eaa7bb910b

SHA256
860eadf2a5242955d95c44a6e8f4e0b05f2873817eaf3ce6776f6ab20a17d92f

SHA512
06ef0dd633a02461616970a82f6d67b1b30c8886c2bc23613fa0bc21718b7a9ff29e7a3e2c410696e0464fd8f175428cec4cb51d3cd2d15c3b2fb55c720924af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
90b8e3c077c7289cf4b7078243e26f76

SHA1
c8e3387c59c20fcff770b846e972a52f7f93591c

SHA256
001c51870a28710313d50d9037f261881517a384d3e502d9112b04ea2e8538a1

SHA512
4461003ce00d03608509d7ab645b933ec95c398623a1d8c6440c8a5b069d32e73aff391a1d3954511dfca7da698c0820970017b66629e3647800e5cc3920f1cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0a91cb855c179693213427635e3a35e5

SHA1
845c33069ccb8279760c7e32f71c4cd2d03585e4

SHA256
c750e1a054d5d727f8094919c147a11a9ad60a4b5d15385c490b497eaeb6466d

SHA512
1591f672d805d0f00a4f346b8598a7f2b7fc4c8d45a160e6760c95cf177a5236b85b405b8706135e211c1e3dd98b7645281bef7b44e5f8b324ba7feb8c34c9ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
e30ca081e575e2818ae17fa22bb23acb

SHA1
38cc43d4a8db0cbc49c98c320bf810c632817715

SHA256
3ed38ca2b3abd2d3dc127f3451583380e3ce9799a01d37b6e79fad997afdbef1

SHA512
31d8a3df07faf31e8c19c7ad3220cbed0e33a7e6ee86b493ecad59dc031e80270b025012bb3efeacf52305e7f7c297028d4709e190f866ddfd3a7c7a2c941e74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2f42b9148a02fd1f30318819ad8fc56a

SHA1
7c6e425dc1475d3f8a9eb2029e1341e9e48e0bbb

SHA256
81ad1ecebd26f8b568b34062449fa55f8791d26380925443b17a6a677a30b551

SHA512
0e7d733929c308896530f202d52fbc535ff9aeecfeda18238fd1cbec61d0e9de0576b148832120a4cf1985480f8bef5c0ded63a9314b7e341699738780afc1da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe575cc6.TMP

Filesize
2KB

MD5
2439032641f0c53dcd64320bfa02af0a

SHA1
a1820031d22a713be8ff0a020783b7bc72860ae1

SHA256
13f018fd7e8d456a16ab52c9430b449ed2f126386dc10abb8d01ff752f92db72

SHA512
d9e02ab626313b138f721b369d987f45e68682f6cf2d76138195cedc75cea2237cf36677173a82672bf54ae9fe480b54f42c76af18e8e4c6cad76da85bc178d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
6411d15b04a53d75d8750bcb319af383

SHA1
1f3503b3962ce18745d9b991cc1950f349e1bce2

SHA256
9f116d54e74a81687fc0164fc1594311e40ede5971ad81a1ca1cc9c98f593d9e

SHA512
4fea8a0192e053c275e877a961c2f86d77d71bfac21809e128b52adf2f253790cca6eda5c65ce803d6948cb55b63fe1276fa2a86f36b11ac10c45c839a243da1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
4cd2184ee8c1ccbc32c84a6fd270ff4d

SHA1
56b61ab90626ee6b56e38c0c764c7f3ec4bcdf0f

SHA256
de68fc4585897b2ea9d15a2212eb88a20304dfa0c3075db999fcc91a68a52971

SHA512
4c0ee9ec0d9e250c9b70fd9b812b74b8fb6b080c327df6002d2f4fa574382c29e989a3f3bc46fd99d68d3d45a7efbe0faaad19c8ced4a7bcad3388b01a3f5727

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
cd8a906c382069ddbba08a022d578570

SHA1
e9dc547e930a96a0308a7d33641535dd02b23d3b

SHA256
9c1748213e15b34109cf7092163b447cf70c0dc039f58b8feab4323ce9042e5c

SHA512
91ede410c8b7bd3b6b35a64d07b9f0db0b97e781edc8381ea22fed7e3b7d63615672290f41769aa5a90bb6f06bd702b7e3188366a6cd5b8610ff2388ae333bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
e6837214c239fac215b7c402b464bce2

SHA1
7820fd3673bcc5696af9d0d87a702ccd7a6392e8

SHA256
44a9790139999fc651175b59ba74a6480d113ea404cd5dfe573ac31569d6871b

SHA512
c7dba9fedab948722d69e6519b3e889ef7f6afabfc7c897c914cc1ad4bc50adf2c256c2671ef93e734fdaadfa907cf9fd1209a44658146aa82e62825abb2c8e2

Download Submit
C:\Users\Admin\AppData\Roaming\8a2478b38beeeac9.bin

Filesize
12KB

MD5
5a777ca96aba1a306c8eb658f16b3134

SHA1
6f15af223a341fc73555fe977a15ac21fdf9f644

SHA256
44376e52bc3c2ec915c058e49eba675afc2738b30e8df37ed44de5d7e9eec31b

SHA512
2e540eb703fe5d48a71d9e21c3fcd30ce0483d3aa1b1e5d2df05532e09df763d9521c2dec9cddc98cd6de60b134b170c1f521095d64f5ef3ad9e75d5f7b4601e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
049aa0b01d37300191b2e521b7d6dd60

SHA1
952160c02baeb9bdb6961fa348ac438daf981a5e

SHA256
00e29cbc4dcba24d784347f0d07898047c3fd79892262337c909000c38971f1e

SHA512
8589477383ebf8e17e128e4f59756185a89c3602b6f16450342a36f6cb8b76e711aab2c1ec5cd59e80845690720b2474fa2c0e16a6e6cfbce02de1ebfbb42b17

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b75a6414681c3e0cc985603e9c21ea15

SHA1
2c4f03831509c4af1008e515f2a196d8faab65ee

SHA256
656af89237ea3614400f61a9b1ebb92653650e08e9249f8248273f643cce1206

SHA512
9f6f4109b4e55a85017ab8ee1f16b4099a0a08a113288a3ca35b916b7b41dc87d529e36ce4a3e5cceb580ed7b337a9e8dfc2dfd00b56e18f35edf33a0018cecc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
8599f74dd8717fe4817a91e035502da8

SHA1
86246b13029b5403189aeb3ea8fa28a0543da4b7

SHA256
004fca55c27d15d72de5b0773fa004fa201e21e47ca65a1dd64e4d1fe23ef8d1

SHA512
23a91736b10dc79736430e0a7dabb7824af6880c775202a19edc91f98a57e440507744dcfca77fc0f0b6ac274f8173450631ce8df4144be29e5c64f9daff900c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2f1b84c31087e51a619cc6f5fa16908d

SHA1
99db7b4d421d035127f9f4b07d8d4576a2e5e968

SHA256
0c0656eac512e16ba52345b9e3daf3e84c0b66991ce0916b1a7286851ab9695b

SHA512
5f7f1b7285407f078d16e5361863bc4beaa0d28f62b99044d3e0e7096bc7de15b13d3e2c0e73b11a7b73a47831b2344e7510207f832257337a1d86fabccc6c7d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
7e256c64a479e55d3ec9ac969e483e5c

SHA1
f7f3ca38fd648d0d344b75d1d6f4bea257f2e1f9

SHA256
91f2e51fea9dad7b496a3fd918d429ea103fad2cbb85466812b2167662595a23

SHA512
f15ec7c4562ee50a3d06dee3ec9a413d879cbcc545af4c861eff4caee73b750ad390c2ffa04224fbf2b01cf6b4ce08c59e9e922057eeb3d38224291b3a978dde

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
1f93805df06370550d77fe1a40028ac6

SHA1
d7ccff054210797d6525045265f73e88e7f3552a

SHA256
4b529fb0b2548decb54557cb08390a4de34edbfb8ff2681d057a2643de95f3b0

SHA512
8678ecb6efaad409bd902c7e126db77b764f892f3b9d5269b6eb6d9bc00e30ac698123c1da318ef3fe47444b73516f9087730028774e41b1f56747908061eaef

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
22c8e8b29a9624fd89e669fc9d20a691

SHA1
d20e15b10a885d2e4489b4fbfe567318e30564fc

SHA256
7bbded64b80485607b0d1f6c216b4c29d942cab6d6c2de38dd764ff6e0af46f3

SHA512
0c16937f8d44ba0ee5646cd62d70cb418817e1568dbdee8871486a63ab0aae6e2f697607e47b1c76565db90c057a4dad748e0465237b8b0e7996c01cb5d985c4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1ee3a44d90cb79e1e3085ef275c31e7b

SHA1
ce89cdd62f0e2c295cfb7ffa671ceb87deccb8df

SHA256
b97cf82b7ec190375aeb7cf588816277319e14c9bb1f3b851db042bd31f953b9

SHA512
5bba7f2ae5650f8c2c0410fcc1fecf0464c8a8c57afc7961100d70a71badc98e2e6bef0602fef8588d31e2e5779604abb7e2a87242598fa743e780f5021c9cb1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a41866dc295d3ce7fe835cf24f7be5bd

SHA1
dd7ac0feaf836d4323feb9dd288f02b9458c60e7

SHA256
8241b273a57cd6245f6096204746fd9e7bc432166724f04007966e28604a3f1b

SHA512
6be1ac5c73671c362e88a4a912dfd1b9e2061d3e32a431851055dfd776fba266d632fa0c78ea1596005efa23f3a4d820114e857f1b60afccd8ee5650cf942e61

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
29a325a690e9edbe331b2e2ffbe314c8

SHA1
8d95994b20c704d91435cb702054a4feecff8abc

SHA256
cf939a80fd52c1c7609178adb16b3f467963af6fdf3296aaa3786469b28a8656

SHA512
1c6dfd95081e2d7d87b58c1e69a711c7f2dbf464392f954f381b46583eaeaf7f1f5503f03539a05394ec9596a006ece6f98cf13fb10a5d3c86b46231c7ecf41d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
f5a23258ae58bdebaa5757c320258e9f

SHA1
9b3ee0767761b7df4316671f28825333ff5c72e9

SHA256
a4e2bf61ea1ff65b4c24837ea2b52720426f7866390afd5d2d459237705359c8

SHA512
05ae9768995128b17083a7ed3eb4cac5a8edf475c5b48fba026348dabbb501a213a23594bbe52a68537234e9431c9d2f2f056023b5d16de126080bd25b512f3c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5c6c841711c5baa1509f7e615743d689

SHA1
d17046332deac7adde7501e001e5866b9a2f5f4f

SHA256
d1f45deb7880f8b159bd4b041559bddb0b474f0aa6667438086b0b0685b41b73

SHA512
bf849d5ca92e12b2816daddc6a890a395039c5e421bcfd8d4d6644e1506603418bb2a71ac10c8f2bbd702bd86b8b62aed093d597c0210441c52e36ac007afee4

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
78c48b9dd6a2073d0d822dfd40fae9d8

SHA1
617df6230cdbfd2733e345b04fad5607cf1f86c5

SHA256
01c57a612082fdead4d06125a5648d12318297bf1214f31d6b8ae32753a2681d

SHA512
3d13ce944419084cac1d060e0c8e942d9cc0a95df4ba65c4a5742a103864f6c39e5a9aee7ec45a504cab400d70f9199e12a6ac5220c77168db77bc08f3971312

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
73d26606a69223b40ebfc0efbb1ec1d3

SHA1
9f1faf005f882aeecac89489e2ad6036dc7e516c

SHA256
cbe3183beb32ca0e5bf6078d59008f866f7bde983301db5ed17fa9c0eff9b3c7

SHA512
64bef9df14302c9785873b891e7af088e5fe84f1761065091e6df3e969b391c5b1fb6a81186db757292bc6fadf5bce5b6ac879273532977c045c821bf32354f3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
920d685774703983652873bcdd563180

SHA1
a75c943ad47f3469368db791b3900364ba011529

SHA256
1aaa35ef4167b4122d2e4a19632df0874e5627a92cf7a456f251eb223f25531e

SHA512
86404afff3eeb57ffff6cca2a21a61707bb85c4ab8e935c17289fb7572f907d2b374ddbfa3a76678f4c77fa8d6bd1ed5c73d4a5868b7b7220b4bedd0aa983c42

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
fe0af8782def59044a326fec5186d9bd

SHA1
f0506c7e5fbc78288892a0f07d011ded4eecc400

SHA256
aebaea47f63144f142f133313a09ba11570a3cf7e6ad9f29472bb6a66c8327ba

SHA512
ebeb7c3130ff25e80a92c316657ab34712b5b651c58f6c01ac993ce662cd84e37f5c012a5dfd2e4d00723b7cc94832ea2cf5700fa3fd3bf4508c5ad34e5c09ad

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
6e7605aabd995d51de9484fc76c87cfc

SHA1
e6db192b4fd27b700ca777a416d189a741813f1f

SHA256
c1cffb6df64b609c51059895f6dc69903e02ea590e6332ee38c062144703b988

SHA512
0b422b7aff6fd7823d54dcc98082f3453e947d6f5154b819db1187188014dd3b35ac9d55ee95bc9510ffe7d680be39acfa70a88eb36ce59af7a9fd5091a59f49

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
476793fff8209b213f0d6f11471820f6

SHA1
26644e28ce9fe54027c425e77f5a36c7e0304d69

SHA256
7d6cd2fb10adbd1753adfe7b6f1aecaf62eb30911283d5650ebef6335e77c949

SHA512
f2ea2205e1167afbf97edb3c86aeaea5051bb8107be31ca9bb17c6c40be6a0f93db4618625706941e6fab272109d921ce4ff8a8c62699b386deab112e4142408

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0a8c17e97526f751a8aa475e8c8b7983

SHA1
2cb070d16a547e867aca22af457f13c44c17d0e2

SHA256
81519c37e7b764606c063607c2fdc287f28845aed7cce899222c4f714f16f860

SHA512
40a71708d63ea949f7132ef01340b3202eb349119623aa849b0e103e4b7ddbea543ba7ebe98b255eb58e26ac050c09a1dde89327f31deaa77f483dcf16136593

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
abc8c2f40eef37f4c823817e92928722

SHA1
8f79497597a96ef9a2d946e6e58e81205e17e8b9

SHA256
4107a89814554f7034384c6c06081335ad775952f44323c28fd31c85193377e2

SHA512
7711699bf01da89185f644b9ee18798a5071e3083e001c79017fc892ea7ff1a8335ba6b10baa200e030fb3958ef4c0dadcda95e7a230f3e801890c440f0f62b9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
cd0eccb35a237881883d5c3dccfbcb0b

SHA1
13ed6e63921d79b59ffa1a5fd4c2f9b92bd341ad

SHA256
c55579581a9e24e9bfb3094d05d8820f19b970db9a34ef0aaa42aa89a69f2836

SHA512
15fade02370aa018d0b3f849654f4ffddb0def6b05484a1cda64f90e1b5ae247b4e4e30c91657a6e51ced5a35290f0ffab7a23398755d0a9740934e297684675

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
8b59d052f70d4ebb1d7f18e769d2a538

SHA1
93fbddce82c0189837d20cc704e15757ef1a0812

SHA256
2a1e842bfeedf41be114da7b223e3170b810dbe79aa553784fb18d31f1590d49

SHA512
679c9589f48d9131c04724f862898fba3cb6c7add27096d5b86c9298bad5ba773e057177abe869ee7a3019b3aca4ca5b4c3aa883bbfe3195ef72410c3ca63bca

Download Submit
memory/1888-278-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1888-733-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1892-250-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1892-254-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2404-228-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/2936-126-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3008-532-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3008-227-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3164-190-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3164-505-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3164-630-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3496-166-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3496-40-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3496-39-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3496-30-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3636-102-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3636-20-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3636-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3636-19-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4056-146-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/4056-269-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/4104-63-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4104-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4104-79-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4104-81-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4104-57-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4420-240-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/4420-535-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/4544-226-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4544-93-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4544-89-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4544-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4580-202-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/4580-516-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/4652-168-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/4652-309-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/4656-283-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/4656-159-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/4664-54-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4664-53-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/4664-170-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/4664-45-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4708-68-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4708-74-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4708-164-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4708-76-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4740-6-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/4740-0-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/4740-25-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4740-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4788-652-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4788-264-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4956-324-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4956-171-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4960-743-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4960-292-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5004-94-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5004-103-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/5004-132-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/5236-313-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/5236-744-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/5280-534-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5280-558-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5384-325-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5384-745-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5672-513-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5672-569-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5708-748-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5708-519-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6008-749-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6008-544-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download