319c845ab6fa903116b091d3318ccc36709dd6919073ab890f950c123984e630

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
Size

4.6MB
MD5

a1c46096dfe68c1d9fb5d1653c7eb130
SHA1

e3751bd000fa3ab69a42150ad04d2a75034d1204
SHA256

319c845ab6fa903116b091d3318ccc36709dd6919073ab890f950c123984e630
SHA512

aa9e1ada93c3b2a655c559091592123d3bbfe0cf7a67cfd9faed39928d947e2abc23f3675f50ebfc3b4c66ecc802f940f82be3d7f9c330a38255738b15c42c40
SSDEEP

49152:ondPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGf:i2D8siFIIm3Gob5iEg65tUV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2712	alg.exe
408	DiagnosticsHub.StandardCollector.Service.exe
1276	fxssvc.exe
3348	elevation_service.exe
4048	elevation_service.exe
4144	maintenanceservice.exe
2092	msdtc.exe
1036	OSE.EXE
4060	PerceptionSimulationService.exe
4236	perfhost.exe
3208	locator.exe
1904	SensorDataService.exe
3088	snmptrap.exe
400	spectrum.exe
3628	ssh-agent.exe
3880	TieringEngineService.exe
3404	AgentService.exe
3612	vds.exe
112	vssvc.exe
3084	wbengine.exe
4228	WmiApSrv.exe
456	SearchIndexer.exe
5408	chrmstp.exe
5480	chrmstp.exe
5624	chrmstp.exe
5744	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f01d792cc3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9995be5e1bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003bf93ce6e1bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c31363e5e1bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1b810e6e1bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003ebd7e4e1bcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c648dfe5e1bcda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7c401e6e1bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f0ddae4e1bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1560	chrome.exe
1560	chrome.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
3812	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
1560	chrome.exe
1560	chrome.exe
408	DiagnosticsHub.StandardCollector.Service.exe
408	DiagnosticsHub.StandardCollector.Service.exe
408	DiagnosticsHub.StandardCollector.Service.exe
408	DiagnosticsHub.StandardCollector.Service.exe
408	DiagnosticsHub.StandardCollector.Service.exe
408	DiagnosticsHub.StandardCollector.Service.exe
408	DiagnosticsHub.StandardCollector.Service.exe
5508	chrome.exe
5508	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1152	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
Token: SeAuditPrivilege	1276	fxssvc.exe
Token: SeRestorePrivilege	3880	TieringEngineService.exe
Token: SeManageVolumePrivilege	3880	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3404	AgentService.exe
Token: SeBackupPrivilege	112	vssvc.exe
Token: SeRestorePrivilege	112	vssvc.exe
Token: SeAuditPrivilege	112	vssvc.exe
Token: SeBackupPrivilege	3084	wbengine.exe
Token: SeRestorePrivilege	3084	wbengine.exe
Token: SeSecurityPrivilege	3084	wbengine.exe
Token: 33	456	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
5624	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 3812	1152	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe	82
PID 1152 wrote to memory of 3812	1152	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe	82
PID 1152 wrote to memory of 1560	1152	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe	83
PID 1152 wrote to memory of 1560	1152	2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe	83
PID 1560 wrote to memory of 2724	1560	chrome.exe	85
PID 1560 wrote to memory of 2724	1560	chrome.exe	85
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1212	1560	chrome.exe	111
PID 1560 wrote to memory of 1948	1560	chrome.exe	112
PID 1560 wrote to memory of 1948	1560	chrome.exe	112
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113
PID 1560 wrote to memory of 3012	1560	chrome.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-12_a1c46096dfe68c1d9fb5d1653c7eb130_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2cc,0x2d0,0x2dc,0x2d8,0x2e0,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffffe2ab58,0x7fffffe2ab68,0x7fffffe2ab78
    3⤵
    PID:2724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1928,i,12638931420572770434,15690451604505582077,131072 /prefetch:2
    3⤵
    PID:1212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1928,i,12638931420572770434,15690451604505582077,131072 /prefetch:8
    3⤵
    PID:1948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2180 --field-trial-handle=1928,i,12638931420572770434,15690451604505582077,131072 /prefetch:8
    3⤵
    PID:3012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1928,i,12638931420572770434,15690451604505582077,131072 /prefetch:1
    3⤵
    PID:4620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1928,i,12638931420572770434,15690451604505582077,131072 /prefetch:1
    3⤵
    PID:3300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4268 --field-trial-handle=1928,i,12638931420572770434,15690451604505582077,131072 /prefetch:1
    3⤵
    PID:4528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1928,i,12638931420572770434,15690451604505582077,131072 /prefetch:8
    3⤵
    PID:5284
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5408
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5480
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5624
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 --field-trial-handle=1928,i,12638931420572770434,15690451604505582077,131072 /prefetch:8
    3⤵
    PID:5612
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 --field-trial-handle=1928,i,12638931420572770434,15690451604505582077,131072 /prefetch:8
    3⤵
    PID:5176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1928,i,12638931420572770434,15690451604505582077,131072 /prefetch:8
    3⤵
    PID:5400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1928,i,12638931420572770434,15690451604505582077,131072 /prefetch:8
    3⤵
    PID:1272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4184 --field-trial-handle=1928,i,12638931420572770434,15690451604505582077,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5508

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4356

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4048

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4144

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2092

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1036

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4060

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4236

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3208

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1904

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:400

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:448

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4228

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:456
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4596
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d3bd17604ab35ae8db92656d2e42b10a

SHA1
b6f118284bbb842c3742f53544d4cf63a73e38af

SHA256
4660939391c8948568c4bd25e0f06a58401c24b055e8804a448427511d2c7391

SHA512
0e21f6af2a85e1b1254a09a542f662c71bec68e9c13e08a2db69de189c77d993328ee56f1ecaa72084d3f4d1b79e723177ed7ba9afa5cc9baffe794520b576d5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
338eda27064040929706a6d586f7a706

SHA1
2e81e5aa69f7f3b24e1faeef99916b7d0accf578

SHA256
c068ad728b9fa6375d6c2657a4e82b369d59585ac77c1c346b6e7633f2a8823e

SHA512
b4c2d0ad7351ec618cef6bc3505b36d46c52b474365aa3e156407f87abb5262e85cf3a3317c0f4e20e6833c4c89922def1eccb5eb07600c4416d555e22005ac0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
de891b1be05a0ce59fa36c8808db5802

SHA1
3b9ff25c851b60d666c93e0e504fa7645d0f7cec

SHA256
92a6b121e98cee3e726cf72bd0c739877864edb4bc4eada2b80754bdca8feb8b

SHA512
5add44c3fc329724204e263b115ce847680c4e366da9f3e523fff0e3775e6ea7261713a7c2b4abe9483f373ad6168a17d295b31ef8ca29db4396d42f88bf2745

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
665727e7ab372be25fd196ec3df1195c

SHA1
c19878ce437a2847a95f2a83c35abc99b21fd5c6

SHA256
ee5065baa3f1ab17e9d12ade96933541f11b1ff2ffb136298563394f959927c5

SHA512
5d3f7c106157f5e59620b0e27bf49af89bb20a31591fde44da2d7674010631958fa88a133ce5a460c0cf544903f70c7732738c5b7c9ed1cc414aa1c98bfb411e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ffb9c6b33a92664d9290ded2862275cb

SHA1
1e8645ff6f7049c495d8a1bc342d301e7995096c

SHA256
00a6926f0ee85e6510732f171f4dd1d8ab1a11d396f9d06fe0c7430a36608c6f

SHA512
6c50fe2bf8cbfed8f66cb708b1b0202a19f7fd058fcc117bd70ff3369329395445f108feefe3f53593587611d8bb9f3a20b3bc83df1d392040f0b414a8be3741

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
005065c95694d4264534e094b668af40

SHA1
51ff8b122df622ca3e51cd307d819816394570fe

SHA256
af75e9de704c8e4b2544b501fa1ae2795d5c2121a102bf75ea3c2db6492951ff

SHA512
af335e1126f25b5715ef059fb73af6f26c18d0c0d1e539176f369751423c9d4af38391ee223b3b8e70b9f33fcfdc06374c7b492066db69a93c22ef3ef2968c73

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
de88dd196bdcb1b21da7137388b263ef

SHA1
3d046e54a0180118203f4247d4e208fe113c45fc

SHA256
623275077bfbe0da91800ed0d0afd481ff552155d97c669e2bde1611fc69a60c

SHA512
3baa22b8ce4c913d9fc8fdd726f84337a889fa5ee256ac39c2fc12f478cf547314301e483b0b048e300c1e80ac9b538d2fd50a72c5181aa74f431457aa1eac96

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a77a61791aff2b1d5cbc330faa6dd2be

SHA1
8b22688eb365911d49ac36abb74e8575e8e66c0e

SHA256
68577a838de55b89ea217b6408527562ff44c5d4816307e8d3d254c1a4541dd0

SHA512
a2e7c4eee98563e10705790cbac5d07ac7034ea446f821e332f20f0d949afa50ad54bdf2c30a54e139765ec8a1de92078c756ba05ad02d4406b8e04846c99cf6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
05ec71c1ad46933fdea8776619f2d49b

SHA1
7512011a4328a0ffee7b5be2787b0e521c14efd6

SHA256
2c7d821791a5f7d248f26fba9a0cd26df62f261734e11201a63241576b7e565e

SHA512
670f761d20ef096ad0dfab1a2734cbadb58e6ed0e8ffe1d70f914548d44d3ea9e3be0258d0eea5b6a278e52eefeadfdd24c6d076a86dbcb998d8546ce44a508f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8d95b215976b83caf7c769203f1eeee5

SHA1
a990a69c9e67166d56bf4269c27a45ac4340add3

SHA256
90a27fbfa8468bce8938995a8b891982262ecf78fb34888910837c46bf1e978b

SHA512
9bbb35bb321f1b7e08f41376cdf0deb8a36684051ced1378c17ab75799c8c6f0fa8659d5484b6e44f9d565fb4027fc23e909e8c6c7114b1eb9cb14524e5b0580

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
71bc21c0623c5724fdad10b364871dfd

SHA1
c8c4005bd3bd466dad17c93758cd71c6f41214de

SHA256
2d71b80303767329f8121844c1f5f987da7bab0b585303edbdd4de1504f81605

SHA512
dac9a52734569fd59cf7ab1407ff155d546ebd979476475eb40a1a50df24542751769520c64ee6e70f8ccd297d058400cb0a9d4161d87018e8aa263ff8b6a7d0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
02b29f0fd9c65af1ec60bb081f684fbf

SHA1
5d293a39abe30a9b73efd6df657b3baed8d5b155

SHA256
44067327f30ad0272d17efb1af8c88d58939c22d757df5a501bebbb764cca7b4

SHA512
aa3c99fcefa8101695a2e089f4706566dc88d13f184c738dd325f1fc817c93484b44ab9e54b1dcb4d06696df33cc97521a579666dba0ebb50aa64dbf828387bf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8ee8e647bc5bfb7b347a2798143830b5

SHA1
09b845308f1efae3476a4130e33efdcf7c28604c

SHA256
c9ab3bb88334eecd3f24f0b3bb91b20071cbacb4927671732d9d0003eccdb804

SHA512
da1130ef0fb6d022d4292da0f17fc9bc870707f832e3e005a48b3aa8932a8e3096833bf8e348a9bd06453ebeb001ba672c6021a162e4144b690862208f837df9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
78fcafb312425ba544f2d5ecbfed5b3d

SHA1
6bf25fa6da27de87a0d282bfb64499f2e2a261ae

SHA256
f43180511986dc0968f53ceab591c952327e563d603af1b55c7bbc7437296139

SHA512
4b589835fdecea1d45dab8f6386feaf554bc3dc2fc1391a8d58c5e5fd24874b110859743e055a0f5dca25f3dac575986248e75ceb1414bbe66bb513c4f4e4538

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
fce4bfb31d25d829978e12f282ed86aa

SHA1
0e57398ad853e4a4cf0b76ddbeab72562daf3e93

SHA256
0d7244ffa9e3c2115c4fdb5210ea133a82c9b832b1b0b9dcff54dfaff605879f

SHA512
6d0079a694da1639bf023c2a618ae743c9a0f1d392365a1ed14ae1b5f7ad5c2783afd4b04ed00f893e7b79218eef0d9f62f7d33d152a813b093424b5701fbd60

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
653c1a0db815b7085b1bef614e432954

SHA1
2af9aa148bb5ef58a58887bc6b9f9bfc7331ee5b

SHA256
83fe663def9a258dfd78b5e268f8d1f68e7d17549dfeede554ab032f3b584c36

SHA512
e8b320190e7b2bc3f0a634a2fe378d92a816f0713e0e45fde4a5a29a6263a0ce0bc08726349abd12936227bfb7885a992bbb40497269ea4b3bde18f15fa5216a

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\97c1bcbe-0b11-403b-a0c8-ed4e06389066.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
85378a3e26766f105d55949e679c9652

SHA1
d4b2bfb02620ee727ad26bb7b001c5b6a8180a37

SHA256
8263e48ffa4c1a2e6e49ceb582911776cdad2957ac888e9f3a97659ca809c8b1

SHA512
32ed0afe1897a322f5c9c9d98f2aec837a410be4f11a4b9534da0a2dfa2554f22ec3896b6f5accd363f0cd1bf13126cc9b605971ba33777f69a889b268e6fd56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
aef29fff63adf58a490edd7d085f9c37

SHA1
403505ffc00af8bc5aeeada453f55722ca80e5c4

SHA256
4daa1d5661b8941159d4eb7866c5389e891171b33cd8be5f1405d29422abef30

SHA512
7cea9e77437c26fb97bf47b99f200ddb8bf5bff1fe5101649c0a8a98a07af49b05e39c6dbe813e04d7da2004200f67f85410a1c8a1db80c14036bee4219cd2f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
002e843157c2dbede71d4b1b0c7463d3

SHA1
429cc4ac9544adc591141258494daae96dc26573

SHA256
961b691e71056f6decbf350fcfdb6e4f2c9f6419946bfebe1c118132da3f05c7

SHA512
22f58d2dae1737bfb999012e6918fb3dc8a239242432847da42cc31ca857aaceffb7c152e720c10b177b37ed8b4bedc4f601ed9ff1b34a1ff3a032812fdebfa3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8571045ba5a770fa8c12e9afe2ef2ef1

SHA1
80ff4dd3540c627463d04bf86cce47b35de5f21b

SHA256
374e3ba644d88b4541a02646326b30b34320735cb54b7c62054be4812724b7b0

SHA512
16f44bb9145b3b574e66bbe090bc3e0dc066f19009ae6fb819eab501b5bc3a2591437f391ced4ccbf3d08d8e454647615bbab304c272455eb44c914a2ccf5dd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577a02.TMP

Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
6f3375f7448a5d2621a1b522a491de18

SHA1
655fa55d5ca6cc9d7be033be2a3968b493e25693

SHA256
0e7a706953aa80d94a7a968de1880641e4a56b9821acdff50fd3d77b4cf4a4a2

SHA512
5b1f54588a476b7926abed4207d69bb08562183b3a7ba5e4d435383490ea686edc86f73641a52cfa5108cac64195f0bd34ba240d740949f52dfd5fbb13495071

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
f17d59a01246a6fc0d20c003bd3b739b

SHA1
f54630025a2c856ea4b162e79e1d3393425787ad

SHA256
38b95a887d1782439b5149b611862655e8d0c11697a6cc8c64594136b4153daf

SHA512
020779e8d942e061fb7ee837478e0b0d7b7e67214072443efa0e1c19c740c1e72ec9a33c25e1cbd6b92e229f198f35cd4848d8b3092b64beb860a857ece5ebba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
85a9899443df2612ae9951a00829904c

SHA1
5228eaec607947e889a8b1e996112e30e164f984

SHA256
c964fa23bf90bfa4780f2158bb195218f9123a2aff0abc97519b77813de37960

SHA512
0cef031c4c93a3c8e32c8cf98c02ad3134498ee5303ec9942a8c5e511862a2372efcc9a4dcb1b21281fa899c3ef6ef6d6b5a4293f921c371f4381e394fdd4ae5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57ef61.TMP

Filesize
88KB

MD5
1d0e878fd9f147c87686fce384d99429

SHA1
5957997f77cc4d9e470ebb05ba56cfce3653ecd8

SHA256
9e70fd4e23bdb5f12139528d0640326ea01781d5b4a47a9b08df4549e3c140fd

SHA512
4b29cda3dcf082daafef885b4e347304dc4f2de727898a8ce71af1e05b5e9a3d4d052ce8aa07f49cb137c041f65c250ba004e91cb173406b35696d5a157d552c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
ac7bcea5421f4d2a5584e0d88ee5590d

SHA1
9ff678ca94bab0e9e6d897e7d6b0368154cb1907

SHA256
b8c34a5c6f09b6d72570ab9fd49d85d3fd829c50bc9bde025741db7898d93e3c

SHA512
50568a47a5b55ac46d6c5a6972a513023ed262e179bb240f38edc1afcd04b65b3463389dd976d7161c128427c08a17e40d4efd99cdbdc8b7f2c2f5a5738fd3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
240a4f211a674b5b2168370d856d486d

SHA1
ce5363fc5fe2ca2f8d4c41192743c9753e9fdba9

SHA256
1fa04e64fac20fcff766534802fc4a7201610c0887673c4302c13247080f9c1d

SHA512
c9f8696a1b0730aa5c3d6dade08c530d2dde3256916c379097422e08f6938820656d77139d16ca625ca586accd40e77ec8406e3088802cb44144239cd88c2119

Download Submit
C:\Users\Admin\AppData\Roaming\f01d792cc3136770.bin

Filesize
12KB

MD5
b5922e78c6e07919cba59182a0b34b78

SHA1
de8778c9f2d31df4795c6f380f370b7175e10603

SHA256
4056821455239ce642b22273b7404b4df88832fc3e1dfa31595df2f91f6f020e

SHA512
d50f045d74a1e9894760f7c89efbdb998bdeedd5ce42c66ce99ac3985117518122e672b582c53ad061fda27870469ba07c11c8d597d214cdef0440a1247cd072

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
64d67a8de19fb7e76c0ee70ac71f0a89

SHA1
ae1e3f749cf0729315d3e801618e9b235c1d7d23

SHA256
c4a73c4a416233911c009672ae3cfd975641b2dfc910054caa8660c4b724dec5

SHA512
992f2ed58f3c01a67c99d7b42f2a05b7c09ba09b071741e65d109d80c1c6fabf5b0109c6f28c9f913e6e19dade3259b43b5611ab8f9371cf84829054ec9f0da4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d983a9227dcc6462e0ddc5d935d298f0

SHA1
9328c02516ee5f08d299c52d55a635b52c69860a

SHA256
83b000688804736baf314c699613428090f9dd2ca46cff2a89f061f2350fb971

SHA512
c3c961a2052e8ffccb5191f427688b3b8c1d27c094cb96c5483ef28d6d61c1b6ba9080856d485ec173623942b8eb043c79ab3770ccc8e8ace8bdf0db1219ab61

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2d13b4ec03c8adc7ad20b8e612cb4791

SHA1
a6df0a170a7732c93cd994df17d700353cb00835

SHA256
85a77fd7b09de248257f9d801a8614537e7cc67661f6591094c7612ae34bbc72

SHA512
5372ccc1d4952324876bca337c6bc27d9a5df5ec86ebbd6ee85e15a505d3f39d1d4ac852459eba141364a2569bdb8d8a838965a7780c04c9431f6c8d52fab8e6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4887a15a380a38740d63403e021d6066

SHA1
5222af82a16e34eed3d7e200f188d95792b70113

SHA256
791daa736be9b5ff5f0f6fa7e4407d8a0747d9bb64395db73753ef8b3450a6df

SHA512
8fe0b2bf795d72fa87f3853d4cb8235c16bcb80d417a83ab3f3efd8af5f4b21b6fbca1524747440ce7c7615e2214f77bb42d6cac337570046c7fbf23ce614eb0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ea422ee9537efe350ff9829cabe230b2

SHA1
97bd10d7a932c7046764705b5a2d0df7803d1a1a

SHA256
af700d2d49707e0cb52d0e45d2418b3b4b951384c6e53521b99a8c61720c4f93

SHA512
ed460eac62b82155ebeb2dad597704c8c18cc5c22c76e7807eb76f4d4abc887a7bddd6c41f778b0a35f05aa1d73fe3a36c84805900a4b3860130dfe2a5be6e3e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
338246d7acc11860249e7b182456cec4

SHA1
f54b09d2e9af1ef5b39b5417ad28b274d4a7b6c6

SHA256
85c73db87d11c092a3f55793063d3ee375010432d6ef67e98c4b96362af91e66

SHA512
c81b278aa222e38b394b18594a6a4d861ab7b2899c715397608a0965854cb32e22bf1599368ba898ccd59c93e452d9d7c945fcd00fc5c688602bc7ae747b48d7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
0a3f55a95871871e4554fa543760c65e

SHA1
a3ffe47357b9612bf22676185b8785e711c1c0fd

SHA256
055345f0978ad962c411ebb326a87bb52a5675b20792b004b61975c9bc661817

SHA512
96cb17b4f85cf8df5c0c2548a85fc1d696ee4dca520a1e969303a1f1b08874e307de342106ed76c3266a97b8ab93c91479f1b2ea7a50a356b7f63a1e0d117172

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1d8cdd1157b2342ee2516d34ca5a21bd

SHA1
83e9455a33c291789e567bee8444a8f8691bf8b1

SHA256
36bf061dfa0d6197249c2b5442a070a50d5605780d177a18a70661eecb56487a

SHA512
84f4bc736ee4055e6bdc1c050ba7be5a9a0545899529dfef4a7436feba7c9f743082a252cd82a7c3739aafc64e3bd48881960e463ab744f39608c0fb6214a450

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
936c34529026c0c2068d104d46d2bf0d

SHA1
7bcc0b9e5bd97c895f2151cf8dc01ac2aad1a79e

SHA256
3c7ba9ff925c0be26c5f4b7a15bd483aebd6a48c17cb5526b28d530ed9f9a43f

SHA512
951c38d104d433cc3074cb53b326f6ee370a415aac5a0ff6990e0a8241a129d7c426d4f758fb4bfe20f98b567e8ea0a62b21333b312bd74cc31edfb9019f0f15

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6289acb7c69a214327fd1eeb9d249e65

SHA1
7ed90a63a6f633b015872e75895d687833420e6d

SHA256
118047a7b16509a3f8958cdd749cb20d72de725a2f0edfaca82a888364d571fa

SHA512
59d662608a9f3171c9bdc0e8e52f431b03ac6cc2d52b4702772ed8ecf0730bc23dbe3837a376989fe9163f320026be2b82ee25e941bcb4623ef574d148d6c693

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7a96b4c2ff0ff38cd26b34622750c046

SHA1
942f40c479f66f6628af65f6bbdb06dce89e35f5

SHA256
cca5ae6cde5a989ebc934ea3a1e90b0fe9251773cad841e9d069b90e3ed2ad0d

SHA512
90481cf013b6376027d6667e049c3e5dee76141f95ad583ac51413f5e1fb5877ca67489898bd0122dcdee42cd3c7e2395d8e9eef422f13af0bed140d9df53554

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
967cae66bd4dce79e79e0f41ce59174c

SHA1
3d856e04fb6f97188420ddd1e02c03bdc05d42ae

SHA256
1ceff42c6102c6428ff359281a817fbda359b3afede7bec7379129422ae98a6c

SHA512
a5bbaaaadddc7d6ac1a43f7e7248334feb54063b7d3641ba457b26c72f0ae7e06fc3ae8c13ca8921827d1b8b8c1472973b3b3c9d3298b5e816548952c5d412e5

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9f161e088b6688fdb8c7292bc39d3493

SHA1
129eaab402d23905db0b000fa4dba83997c4fc6c

SHA256
c764427c07129af4d683b2df07b4b21adadd9251de0c90ecea43f262666f5b93

SHA512
b44ca5fb6267a6e6aa516e6d9f0a9f4ba81244659a30038231b50d72d01c6fb2d47e8de2459a4104dc7d4fc0edb82d280e7bd3d8436689088121f012f815071a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
5fb698cca2d9c24e3ac15fac9f38903d

SHA1
23b6d0feeb774d7b1f50db5da2db8947fd8efa95

SHA256
a06b29e3ac6ac291950f68e3fd9813b9d534c50a8b0dacd8a78f2b6dc8277941

SHA512
7a47f3d7aa40a9fe798a8b630c743a5ed486736851ef35e85313be2ee00be7a0f3775a31e304611d507344924a4719ceb77b2fa8a585f566bf55f9e37cce4640

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d3c7be7add7d7dca4081d497baa33270

SHA1
1fbaeeed59b0719a32a43ce5a0abc167c0c5e5f9

SHA256
6b99678f3e3b94f6a4e8577c7742e09e7aaa99b1c4ebbfa2a07de977fafa7396

SHA512
42ce2ba002715deea8aea0e33b9942aa2f18f5f27714b98c0e0afe16c260eecf11fab6238203cf60601ba2b2b233ac0317a688c531b786d8d19e154436be2f4e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a5cd2efae73c1ed61b81a16bdcee7d82

SHA1
b4a2bec9fb2dc99e08b5ad862d73192252cedc58

SHA256
18dae48094bdc6f0f02bc51cdda88805b6a5c4555a96337af7e709acf256206a

SHA512
18faf581e77a8d80567ff40451835410a3a6c8985f90a98b0603a871139fef365f38051bf1ca29a2d804cdf416a297754c3f4690c83dfb03d9755bb6064ad44c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6c105a68647e28e7819ce0295c91670a

SHA1
61519f29d768aa51d3f72ede13e53b30382bd0b8

SHA256
9de0a1fb2fccf8498cff406e0bb9cf60eda91b146264c7c46017e26fe5b9fcfb

SHA512
2a05f743d6e15b6585defdf2a693c98bec8f10b6a218edc554c05084f43d6d3629226778170ffedc15080874b16cf0fc2c9f6fd334f2837863a0905a6f178f1f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
01c29861b04e133a9407fab38ddf1b2f

SHA1
af59332d29af1455280df808d20cd808ed854ddc

SHA256
14dafa0e2118066caa5b6247cc9f831b560b50527e8c0f31bd04a72a5c56bd8c

SHA512
ac6be540195d5492cb0f6886d42b4aa101c4acbc9f21b6012305f113d2f8ccf903e186ecccf186c9440b7aaaef435f6fff65b11487f78d5d78468ebbe8a17252

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4fddf3708ee9b2595ca2e4ccb91d210c

SHA1
157fc305f36fecd24f01be4ffd0d83d2aa522c37

SHA256
9cc51b2a1bc93e73df6d3ab817e48fcdf794ad85e209072a37ae13297a445d0e

SHA512
ca9e1f3402e442c06ceebd6efe80f128dcd82647f1d91fd769cb2ccb0f9e9b80267babc2c9777c4ccd5dd4bb3070ee9949bb15422fa92459093684f9ef4b04b1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
8970f1510b11a8c1e3fd745efa4fc74f

SHA1
7b6f9a33995a9a022db19207d41b720e91899234

SHA256
a28f24ebe2539d789c468df204849ad5191569d2cec1136b8101287fec40fdce

SHA512
6b09563654507aac7ee50d5c788a53254ae6d82c9783a06a0094e3549a8cc36e627fbb881d540267f99a151faf35e5ee817fd95314d9973cc1102b97ae16c11d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
293068b38d468d90cb8048901d1b735b

SHA1
e55363e663dabd1b56316ef3d8a3657014ed814a

SHA256
3f7f3fb4290e19725986ce377dd806a81c66345282caa693c3d73655b4ef2708

SHA512
a1b4aec820af8af5906e2b34104259d25df67288b4f68a018327d201753c6577af87ea0f92456f029e894311345621f6ecae59b1dd874677bf9d0bea0dccb13e

Download Submit
memory/112-186-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/400-182-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/408-43-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/408-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/408-42-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/456-552-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/456-189-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1036-175-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1036-92-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1036-98-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1152-6-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1152-0-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1152-26-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1152-9-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1276-71-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1276-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1904-507-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1904-179-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2092-174-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2712-437-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2712-25-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3084-187-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3088-181-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3208-178-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3348-56-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3348-295-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3348-50-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3348-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3404-155-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3612-185-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3628-183-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3812-436-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3812-11-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/3812-17-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/3812-23-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3880-184-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4048-544-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4048-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4048-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4048-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4060-176-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4060-102-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4144-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4144-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4144-75-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4144-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4144-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4228-551-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4228-188-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4236-177-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5408-426-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5408-486-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5480-439-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5480-553-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5624-453-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5624-474-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5744-558-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5744-485-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download