eeac6663229ffc1b65c4064a5ad2b1aae3dc44814020a743da648a598e3eb0af

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
Size

4.6MB
MD5

fc501781e20b4974f61ca356bf2f5ef5
SHA1

35eca518c2bb1594b216b48c7851acd99fbd2cac
SHA256

eeac6663229ffc1b65c4064a5ad2b1aae3dc44814020a743da648a598e3eb0af
SHA512

4f5f2f8622263f36c34e11952665f042dacf1d64717d66219f03bd088ae9e6741b9f29909c0a746d7f143f97c3738aa44a7ea898df201537fb5ab043f0223b29
SSDEEP

49152:endPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGV:k2D8siFIIm3Gob5iEkmqrWETR9b

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
220	alg.exe
896	DiagnosticsHub.StandardCollector.Service.exe
5056	fxssvc.exe
812	elevation_service.exe
2532	elevation_service.exe
808	maintenanceservice.exe
3152	msdtc.exe
5092	OSE.EXE
4676	PerceptionSimulationService.exe
4936	perfhost.exe
376	locator.exe
2868	SensorDataService.exe
3352	snmptrap.exe
452	spectrum.exe
1748	ssh-agent.exe
5040	TieringEngineService.exe
3996	AgentService.exe
4284	vds.exe
2524	vssvc.exe
4052	wbengine.exe
1136	WmiApSrv.exe
3512	SearchIndexer.exe
5152	chrmstp.exe
5236	chrmstp.exe
5332	chrmstp.exe
5416	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\85d41d05c3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643277744730215"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001754ce62dacbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b136162dacbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fcb18263dacbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000420a6562dacbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc6aa762dacbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046828962dacbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eef7f062dacbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008eff462dacbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe9abb63dacbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d38da962dacbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1312	chrome.exe
1312	chrome.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
1312	chrome.exe
1312	chrome.exe
896	DiagnosticsHub.StandardCollector.Service.exe
896	DiagnosticsHub.StandardCollector.Service.exe
896	DiagnosticsHub.StandardCollector.Service.exe
896	DiagnosticsHub.StandardCollector.Service.exe
896	DiagnosticsHub.StandardCollector.Service.exe
896	DiagnosticsHub.StandardCollector.Service.exe
896	DiagnosticsHub.StandardCollector.Service.exe
5264	chrome.exe
5264	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4968	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
Token: SeTakeOwnershipPrivilege	3924	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
Token: SeAuditPrivilege	5056	fxssvc.exe
Token: SeRestorePrivilege	5040	TieringEngineService.exe
Token: SeManageVolumePrivilege	5040	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3996	AgentService.exe
Token: SeBackupPrivilege	2524	vssvc.exe
Token: SeRestorePrivilege	2524	vssvc.exe
Token: SeAuditPrivilege	2524	vssvc.exe
Token: SeBackupPrivilege	4052	wbengine.exe
Token: SeRestorePrivilege	4052	wbengine.exe
Token: SeSecurityPrivilege	4052	wbengine.exe
Token: 33	3512	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
5332	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 3924	4968	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe	81
PID 4968 wrote to memory of 3924	4968	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe	81
PID 4968 wrote to memory of 1312	4968	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe	82
PID 4968 wrote to memory of 1312	4968	2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe	82
PID 1312 wrote to memory of 2952	1312	chrome.exe	83
PID 1312 wrote to memory of 2952	1312	chrome.exe	83
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 5096	1312	chrome.exe	110
PID 1312 wrote to memory of 2224	1312	chrome.exe	111
PID 1312 wrote to memory of 2224	1312	chrome.exe	111
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112
PID 1312 wrote to memory of 768	1312	chrome.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-01_fc501781e20b4974f61ca356bf2f5ef5_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9052fab58,0x7ff9052fab68,0x7ff9052fab78
    3⤵
    PID:2952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1936,i,5635237744450837748,1046732895370077879,131072 /prefetch:2
    3⤵
    PID:5096
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1936,i,5635237744450837748,1046732895370077879,131072 /prefetch:8
    3⤵
    PID:2224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2076 --field-trial-handle=1936,i,5635237744450837748,1046732895370077879,131072 /prefetch:8
    3⤵
    PID:768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1936,i,5635237744450837748,1046732895370077879,131072 /prefetch:1
    3⤵
    PID:4992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1936,i,5635237744450837748,1046732895370077879,131072 /prefetch:1
    3⤵
    PID:1116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4236 --field-trial-handle=1936,i,5635237744450837748,1046732895370077879,131072 /prefetch:1
    3⤵
    PID:2900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1936,i,5635237744450837748,1046732895370077879,131072 /prefetch:8
    3⤵
    PID:2240
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5152
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5236
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5332
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1936,i,5635237744450837748,1046732895370077879,131072 /prefetch:8
    3⤵
    PID:5356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1936,i,5635237744450837748,1046732895370077879,131072 /prefetch:8
    3⤵
    PID:2768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1936,i,5635237744450837748,1046732895370077879,131072 /prefetch:8
    3⤵
    PID:2160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1936,i,5635237744450837748,1046732895370077879,131072 /prefetch:8
    3⤵
    PID:5888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4652 --field-trial-handle=1936,i,5635237744450837748,1046732895370077879,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5264

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:220

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4388

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:812

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2532

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:808

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3152

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5092

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4676

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:376

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2868

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3352

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:452

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4808

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1136

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3512
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5108
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
33dc529eb09537314e09944dcefbd61e

SHA1
f410d8ada7e1ebe1711bd7920c7e24cb94cfb303

SHA256
3a31f115e8c981ba79ec87b4f1f4db0c2c5531db28d58d922a5324ef7fe3863b

SHA512
0be64b85869ce428d53a782d07ea2c000d93834ad033b9d485113a6882f9688b0bbe0bca31717ca74c21029452338e0c61907924c064e86258b345a726e5f776

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
f113674ea90710251dd4f7f15efeaba9

SHA1
4c2db2678393659b571aef46a81b4c81d4778c43

SHA256
915c8645e35cd348808bb878b9b60791be3e01b5491cfa76e664a9ab66e7529a

SHA512
aa73189d1cea101fd24e704d2a1c894352321dbc4ad55b1add9a16d0c97485b054297fc2d269246a1817780b288ab267de8d5410792bb03e25db9ac7e23e1e5a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
58d3b33503853108164b5dc65c2dac4f

SHA1
17531cc128768c49c20135eaeff4db09f6061fb0

SHA256
ace9ff35a572d1a2b46b6f17fd2d6f95b26d626eed14f924645f1c23212ec877

SHA512
299e87ec3848f18366be43fcde0463b7ef319732e4ea07c7525b53e65c875e97273f5c3692acc24456995068a4158bb0a91671da7a929d7137f5a5ebece48908

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
80c56fd01b1af07146c7892f485196c4

SHA1
b17d85c0daf1aba20b7eef6cacebdc87aab6d2ae

SHA256
c6315cb9a59d8163d61c8349c79af7915afa967fb28295988bfe69c2d3b2e009

SHA512
1a1f5d8192aadb404a84872ee4789fed8b5931b3790145fb1df205f4d6f160398ea22ba64ce03ba791723f6dd2f2e6d9c7501f6d989750ce5683aec527b2d90f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
227fc9e632e4542f13b3899484f6264a

SHA1
15a80630d4b1788af1fcdbb127975113cffa5817

SHA256
af169a53c61bdf231e467a834e5e769ef91d5cc9ea90f4ed82ee502fd0e1724c

SHA512
af1feb864f8f415de365089ca6dfebeb3c9e57df407390f8ea84af794c9db280168e1d37b36bd8641c304f08f046c8a98cfc13ec5d4190bc204c775bd67d7494

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
32baa91231c3c9973c84ac4f1b6e906b

SHA1
911a44ce862ae0c0452afeead1955a425db61d89

SHA256
c9913a4c03bc3960654d1e7feb220072977339612a418dfd59d5867a9cc23f46

SHA512
cc4f72499d372317016180b9247af71f9a9c13ae231f87f2768c5f8444d8725932b5867d66b193cc38f248564b1825ff30baa031f6d11d528e37e5734ebffa03

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
682fc521978e118893af8d4cc77ed81b

SHA1
af982e63e08b610251a25d8760ad3a5d064453cd

SHA256
da212238be4296c51734f166bbd0712504f640bc42a01386184efaf5b0410ad7

SHA512
92e0e4d96c81ad8f7a9c4d96735a7a4c534191200fbe9fe248d2c4b9476a5676190a7b9ffd4cede3ff3c1079b6b4234bb297acc036416bf102419cfff9e0b448

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a75a6c096981f7c749e21399ca284a69

SHA1
2f53804360bd6e1499234b54fe66ed3a65b10fb5

SHA256
610661de7098a7f85363a0f9bb2b04309e9f4d55f9491717f3216c01cfb0437f

SHA512
5296c638a3803757033eb0be5c7640a5df1d4f822ecfb9ce3c487b25f08cb1c8b4f57475b9ee172fa86c18d50c1e5dee70d660274484900e61ace6b64c841766

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
cecd5228b30d043dcc4cb4c9d5c8d6e5

SHA1
2536200d061cdd7abb2f65d9e3ab9e0a75e08c0a

SHA256
b9f543bbe03ece2903956dcf1834eb8d75cd7f1ce01fbd94e9a76ee9e3bec528

SHA512
ee921f208544ca404c40a0cdf6edc588733dab133c60db6e94e3c1de53fe826ffa1e7c83b3281f016b884de20fcc15edc8891164ad1b4fd0376fe9dff72d7bca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9ebda8bd4c067a7f8a86aa15b1a05e22

SHA1
becc456fae78ce588d160bb791959e1eb2f4bb67

SHA256
39edbca1bb273ed71be51f17ac1f373fe630a5df849486097dcee242690c2886

SHA512
0b3e45fb9b10ed7cde145463035654c1b1d93551e1b557d03faf84ce8f28ae39e527bd7f49ddcae429d9c9cc24a09fa07f4c4317426458a2d6e8a09daa4731cf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
413ea3dbcc16c80f6cab33a607c37f0a

SHA1
b12698cc074d2470f3a31fe2669a6e0db5fcb00a

SHA256
8bdb5bbc425225646b84933597891d121aef7be67fde3fe8cce717981ae6046d

SHA512
804993866554d9042b144c7ae49a07a5baf0d38d6b8dd1536567852987f62bffd72b74f519f30afaa1de4ceb81364623958e39f78b84072d770c6b97d875d6aa

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f5cf71922ea6b1f13a41bed828bd772b

SHA1
007674bd6bea303993e610053ff2283584f9359d

SHA256
35ee3edaf1fa56b9d9d1263bb5c6475e1a89a44f5470c5c0de90430e9bf27262

SHA512
8b19531d439f2c627e2c8ba607da1a722957d005c73f1cbe2e4d99537d54079b2dd33539063ab3a0439f8d44f98d9b22f84e3a786370affb6d2c3c4d723b011e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
51d21dc876f6dc31870481eac7ff5492

SHA1
2dd37c91d6d854732d3b7320bbb8cfbcd72789d1

SHA256
46df257fca9ac5cb7a0a2ffc16d546967282c3f4c5b7a71fa2a39904ac8c884a

SHA512
42fff690092d7da9c9f3b4d30999c00bf12c719259e5d70259705efac9cbca82e3258b684c45c6a3319b9bba0fa0444d65cf64ad7b7f17bff9b689980d581ffa

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
91b6088d738365f7ad658a0b7173158f

SHA1
b52cb21e01e38d3a44356cdf95bba799b99cb45a

SHA256
fbbc9e3335b335d566e882c82a214e886e68d84d294733a6f062016eeccd33fd

SHA512
49e7c3fc8b8b8fb7c10b693402ba70983f1766984dfbebd2642770ddaed14df0718a87c0c22032dac5706d45300e16a40654fa20964094b6ed53cf0c1feedead

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0c5b00b68fc038a3ec2625c5b0820676

SHA1
8ae69b67068af43ad94fccd116644301e8a8ce4f

SHA256
ad9b22450d7c6340ca572fc4c538995cfd32ef5001cc31a369058a2ecfa5daeb

SHA512
3681f783caaf83a8dce1afdc4cc924e015bf3f9a5335eb3b44070b36dce23147490dadc4a8aaa573d0197f2d0703ba9bba72d415a80d677a11e872e0fbc4dbf0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2ffe3631abb4986fa4ac1a73d16b06b4

SHA1
2aebe21bcc0024f0054f008980f6289c6859d72b

SHA256
40480a30f9387712d6e93a5d6f3b4c36e36432884e6fd7b698a2c9de382d34ab

SHA512
de99aa01f6b55415f7865fcf0f322d782d1fcc0f7a4080a96fd50c19c430d390828bab3890fe9dc886bf93c2cbfe64b4ca1c8c9132659513a7b3e6f310b21258

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\dcc3ebd0-00c0-4b88-88a2-dc39c9600185.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
491758ecd7e06baef9cd1e1a1dd8d00b

SHA1
c3dd17f49c5970cfd24885a1d29fa4dece71a37e

SHA256
1c778e48c07b03cfa65718eb4a7c30bb5449a321e6420406beeb358321f1ebf1

SHA512
ef17da1c3c18c537abe8a2b5d67d7892e943ac8897d8066aad8c003e468d69c632b3039cc6250a9b523f2c067e1d0ccc6c9941284c49a174d20a35d0005e5c6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3535d62b20cbb3e9310a194546ad17d2

SHA1
b1f1fb764d1c1c3246344e498ce5d2fb06f5e397

SHA256
32377700ddb496c5cd255af527a31fac0b022d93cf5d99fc8a5f957a40bbef33

SHA512
b1c1366f926d7dd3d5b7ae1fa81dc5aab14633efaa806df3c72027814e848cdc50d634d6eb7abfac8ba706783df9c614092609c7df9ba79afb1dbfc068e75167

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f43a1fab0e446996ea902440589ab82e

SHA1
ad518fd185852a4f3b8513f3323260a4a8adf2b3

SHA256
9ba7ce0d376ca291368c2ab1038d20ac45157f5addd18ee09bf012bd47a00f00

SHA512
51d2da8feace5beab5592b997f820a1b23fd0177eba7c299c83a070f9d07ac6c49f160c3278de8f8b1f29a974bee036068c45839e58247cbffe2cf26db6d4d22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3da00826a2809712a72dbbf0ef9b59a7

SHA1
869ccb38277a21a07e185c79b50098ea2d55d35e

SHA256
336f9547cff7df45385960e172d1540778a7e877c96605817049b1e859ad2b95

SHA512
38ddd6d0a1fcbb56d1c6cfc7a2c40abcafdaedf51bbb13231b3a687ae0c19de833222af7a347738f8bbb21f7c278aa2993808ee2b700553a22b2f20935f0b6d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578388.TMP

Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
54363964b00b9cdaa01e6e8a6543b153

SHA1
c53573e0ab98088718f92054c15f2ce02a61d986

SHA256
7eef70667747c106fd76c8b64bb66ef6388f2eb32021dca779e24b87185da3c8

SHA512
3e1c3fdb16f9df1f5e7b1c0bc22fa237274eeda6ca414cd4bfaf05ead72d2a85dff9ac2279788f15e641cb24e285f321877d3bc33ef894204faf934c1816c571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
7a3fb8f194eee4f249d5e8766a569b04

SHA1
06e8e51088b982e8a096b4902e7144cb7316abb2

SHA256
8cf127295903e767edb58128b764e5837bacd5395cd8bc635511f65b5d0d4074

SHA512
c7001416403e135e066cb8f54e0cf8e7495d70b87f07f12d52ba2054a339a2d232981b7affe75cd8e778c725fb0d289b384e47c2805ccf3ba78200b9f5325097

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
90KB

MD5
f4eb0be7f10dbe102b309f61274377b6

SHA1
b63bbc666c7fdde8df997246b575cc9d8fe0976c

SHA256
2ced0bfdd0437a763da8744e488f477873435b2c4eb64539d99aae7b9cc25489

SHA512
95b6c8d0716514d920a5cba189b75a1afe87446a9cdc8c2289e3697ec8f2d6dd6bface7e39828509577ee2aa43b312148bab73837d5649c50dea664babb7e1cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f8e7.TMP

Filesize
87KB

MD5
56e44485c4910546a61d12abd897f6d6

SHA1
fac144cf01cc16804a7300ea5e3dd56343bf12e3

SHA256
53c7363013d0f5e5284a1dd1aa07e41276876ab86eccff65e4160e9a46836a50

SHA512
e19dced08a72491bec5d961b998786da60e35bf92bca91ec784b7eb9d85c74d35305f756f2ea75b662d082f5a2324941b7bb7486bde2236b2adc81b55b9d4fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
11c33b0f816c4734c2b63b052b59f3a9

SHA1
c96d46a9616e5859e98d4ebf3cb462c1e271d0d1

SHA256
ebef10aa87b3c5bfc54fad439f6defaa9fdd6b9616112a150f20aa98ddb9b6bf

SHA512
865754bbd8b83bbe6b938bbd40e8a46dc785d5cb813e9df62b2eb1e064f0170764d73b28d8a58dc45cce1c5bff9d7c46562fac6197b45a077de95181624476f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
615dc3ad047d78fb095342298a05e5fb

SHA1
17513d0a1ec0ec1e851206402ec8c1c64bb66f30

SHA256
469cfdc9b890cb2a8d0cbc413ade4fe67100839e2d9c42be854885c0095bf1f9

SHA512
0b182bc2131339f66cac94469fa623e9d275272a403cd944ff27594fbbd27591de60215efd8a262fb8f08cfce7aa62064c54aa4ab168dba2f20dc0f5732f5f37

Download Submit
C:\Users\Admin\AppData\Roaming\85d41d05c3136770.bin

Filesize
12KB

MD5
a74756b11c846d162079d710fac0dfcb

SHA1
c347a90bf5d280bb38827afd9e6ee52733ed2873

SHA256
71fd2c4a91a2b98f4fe4f5b0ff10276f893fd46c04501a06425921208de8556e

SHA512
36abefc5488293a79d4aee9c93b7b70045ddb108699f12cafaf238b079299d1671785d20a8e49caa69a2c4966fcd160041e7ccae2b89fb54f165a0bb4fbce6a3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
9eac9e56748f9ecc3c12fef0cdb995e3

SHA1
9338144f3de8e48ac4eccb6d39b694629f1ec09b

SHA256
34c65c69037a53d6628d055024d99a9a615dec36349b5933c7a886ce8e914f25

SHA512
5a1813fe596995a286544ec012c2f8b8d91fb8567dafd8d4cb6777d3841030dda071b53131cd28f2c97d04af4c288cc893845c2303bcc571cf7b4b6ed42064f2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6527f5299631c9eaf1b0fa6e6baa613d

SHA1
6ef49affe13652470b2b17caef7658b889ff95e5

SHA256
ba833aaf134d6d43eaaf70638a15afd06ad46ecec43cae053bbb5c49af7f41dd

SHA512
3eaf9c1c3064b1a1b89ffb39bb8ffd984f0b1d329d3e699006eacf2f4e7556df8e797305369a784ddb65e45c9cbf37c05648a9494caf2e6e0b401c0e77176491

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
7b9865d4bee2b4dad0edcfe5f947730b

SHA1
7e733bd0026257c170ddd26e5e0480b778d05597

SHA256
aefbc15ec2af66b0d358e7f3e5b7246804cbae553232e074e54ed6050c34680f

SHA512
9142429f60e160b99dc1ff1a27137b49b2e52c77101868038c6f87e18931d2c781e36d34519691f26c3eaeaef5517f510b055f33544ca0e865c1106eaccadab4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a9a1ed205edea0f7fa90f50d9d6f7130

SHA1
d4fa142b8c73a1580d4b61a34c1fe879793a22d9

SHA256
74e823416af7b558aa8abb541b7afdfe1bd95ab87c6e90205a810885fee0c2c8

SHA512
09e896f23ab8c8f7d3e153e2108e5989e9ed2fb68ce55ee5d7d49113927029cea3ddb86718ee2b51fcfc98b74b2021e35ac7bc34ec41237fd07b7c9103f1d6af

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
313184f738d3370c606eb9824270ccba

SHA1
546574d731625641b59f781de2834007934aefe9

SHA256
8ee7074a8fdc8046d21c5ff5dd79ac463d211010b3f3922a44a139dac2731db4

SHA512
fb13aa817448b36e41803eb6847abbc14c2c8ff80b8c0781cf02dd3a2384a1c82441dc30a6eeee120c8bebb9d09b40afe2453c7c43a782075b869be88aae4d20

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ad6e073855536cf0b848c39ecde1bf24

SHA1
18021faa371de76b9676c93b90569bf27f363750

SHA256
8dd642e74edf5fe0c6aecf0a21f619831bdb86f4744bab8b182a8e8b7b2995cd

SHA512
2c7a820a9ca60b2e803945d25890e5a2b9b35d62f04cedac0b48b0980aa604a6c20de72f006b36e9c273fe63631b846a0a68722607ff1937f51cb973962ef457

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
1452179523e79e38607eff77d096760c

SHA1
7873bdaeb7c13c0debbb6d519da6f8b5ce407164

SHA256
989fdc9029b13980d8ac2f0f7a0fd3e32cb98b127d2d5103d9e998a3ea8466ab

SHA512
c1511815f50d3d1a5ad565037fe724e32a1375ef488baebd431421e880aff4c7dc67678b8a2b45f8606ff15461900d14fa1a7f67572cd91492c72b457607e7b3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
46f18f9790ecae6452c9f1f9c1fe058e

SHA1
73d8a86c8a6017c052e5230048568ee150e71a06

SHA256
a3b53a8ac9f665fa7408000b226b13ece581da4e6a6d2ef24d1587720fcf7c02

SHA512
551890c1a39f718127e64be701f5cf44b7f1600b53ec37adc9ed2b528a5b9ebc335cb80048d4a23c0bead8986340b7fda4a611312d4041b02c660dc61528ab04

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ddc4864a7fa03f742ff70e056b3637e4

SHA1
3d9566b976e26261fddf5b17e3479727650f27d2

SHA256
32d132f30f31cd56e876f03e2deddf3204bbf3ecded9f72cf071c8a90becff72

SHA512
31ac1f44c0257c61259e5d25201b059a3a78883d2e279dacd8553d206e84277aff30a916ff2e6746e690424947c1ff0e36492506638e52b6da0f6a19977b8d21

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
44d8b731df97bc841afffa2e90d022b7

SHA1
f046b37a3153b4f60ade9c58b7f2a22f1e2de5df

SHA256
c77aa81a5ce8f14bdeaed79128dce22f1d175cd480e54df5b50ab144613d3278

SHA512
6707fe61be8d7dfe175e7b043c366287f57501a2a8673c2089d3a216ec3c40cb2be4107b86b14b9905f69b83204d3eabe2d9e5b0c8f349f886ed45153e6c1828

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2c52ef21e6a3eb1d6af125753cfe9aac

SHA1
c6f46b053f30ce853612a753ce3df0be91dc81d3

SHA256
bfda3d5a9b7d3669fddf2483af356a69d9e3e4868010ff8cdf3179f940d513a2

SHA512
ea739e37f865a42f28f75f3c78778b8fe66007ba0bcce02c4afd666b228d88e21000343dec1c55d5267140baae14f9ae582a9e8606967a233101f48de27c2858

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
31a74e4566c490370d2424535fbd8156

SHA1
a69ed6a1e6846509976fe108f1ccb8671937a689

SHA256
b88412f29a907aa1c0c1045eaa5aa7ce747ff49f22264d76e08f049740a5092f

SHA512
c28b8382ea0f2599caad2481e55f9df313381f929348c006ca54adba3c04909e1ddcb7c8f52080c438b202d4fa1e02abb8281beb0bf45a7f60f4b6bfde0a60dc

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2cd55b6a23a0be71f87acefef687e904

SHA1
3389297bc999763ead38aad8d815f0a828759cce

SHA256
76dc2a5f753115d12fb9b2826f42f34dfe69a1b65b130e08381e26a195417e4b

SHA512
e2403dcfcc1d4b51a1c6ce38ff8a7700ef1544194e434a01fe4c94090e0ab6329eb21daeea601307d9581d4f386d4ff7549cb805a3e3060b8b88b305b50ba7e5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d8d1afd81339190ec442b62efc2480af

SHA1
83e80a51db5a6bf164cf504f26ad6dcfa3f3c55e

SHA256
cc88378afd0d227c5340408b669c07c30f99bc7543b00d2f5f938bbee4869a3f

SHA512
03b730c1f4ce3c8a8726ef5e2d8630d2297047b36ba67ef1f45a05e45bff5b84452e021446da17e9eb42e3b0ee1fb76b2804025497af0dace9d3b2c1a1e6bb7c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b3aff0df85a1aa0b3cf9d57291133922

SHA1
4284acac319a3d88d1a0807c971422d29c933418

SHA256
873027317d69264ba01718d20b4235983ff2ff8821f799bb5674cd7d60845ebb

SHA512
3c179df7bd4a05dc6c093b45becad2f354e1c77683ad06456dc2659f0f2f8115c87a8272ce005aeba52e8fac55674a96b6653666b2b0e1e8ed54c36086e10988

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4d5d5e92516be7dd370c3a2145ebacdc

SHA1
07d3ea7807a18aec77e2f885595cbe3c145901f0

SHA256
62e415178c32a10ab751cdefb9585025adb9f1540f20b70a5eacc26d906fb745

SHA512
78313750dbe1e7649af6b3ba98ed914d5458ee33db7186bf85c8476e10f66ddbcf454d5dca303da4731ae851281c248f5ff6926ec93228fc59387871d2fb6c7a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
9edf3ed168e1b88528a27ca2a17d9d06

SHA1
919c7ce7e30c5cff994d0ab73479eb4c9d299e75

SHA256
77afe3b2a74e8944d409317b82c59e31282025fa3c23bb3a5c2fa642306e50cc

SHA512
8ede8f9b6b3032619a96811bd07fb90295902cf588a284678662ef387b05a97f8d37f775460f86a9b6917be8a43397efd8d9162afe5a95ddd973a13571cf675f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d5480adc55b9cd5e6da6a2e0edd7311a

SHA1
96f452c8cbf3d4e5bde5c3b5287fb63acb929306

SHA256
5946158a0e3b9adbe58ed79f253292f16aa823f80ff99e65bc45f57c77a3094f

SHA512
d2c91b48664f66ead1ff22eb6edc9fee50115e1c679ad6ed6ebc571b3c93cb14534d040f08ee22b077f06b360e19798ba47142f3d2c9bc49b031fe2456d68f59

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0512a8c15fa9dd3f2e38ba259802268e

SHA1
d721a7a372b143ca3af0250cf681228dab0a6512

SHA256
b17a66e057f81515b5abcff1141a34ffd9f4c6653c9b8e71e5dded7ca880af34

SHA512
ef3edf0ed4e28851d44d880d2e4e7414759297691b1b530565c37b22e685d4b8a0f0554a6269df5c9ea635fb2198f15f35bd1f5aeafd5ca3cc861eb94cd26fa5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
737012407c852562000373d17fc712c9

SHA1
7bb829d532286c70040be67ee5b666279f4943d3

SHA256
24819d1c030d99f83023a50f5a8cdb92ae5fecdfa826964050876412ea7a4159

SHA512
8453fd7f3a45c20020703679e3d2e1851f3dc00fa3d8b01368b8f71bf512c65f0cc74a2bac48739caeadfd13dfc5dfd8d7118ca7ed53db32a33942d8cfdf3ecc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
6fd1786bfd8480eebc50d09ac633176a

SHA1
ea0fc3f1bd26d371bc19b6fb8d664cad8d31af83

SHA256
720b604fca20ce1bac1af63bb7931189d6ea69928d9798693f7c07034db2da55

SHA512
52e80d9124b40d75ce3aa828afecb41b55342860d47d7841e8dbece515a1eead68b7c42bb5e2d70f9c2eb3bee2d759a98a15af7a753ffe10a144fe2f1620b1db

Download Submit
memory/220-31-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/220-556-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/376-208-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/452-211-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/808-72-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/808-82-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/808-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/808-78-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/812-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/812-49-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/812-356-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/812-55-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/896-41-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/896-573-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/896-42-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/896-35-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1136-219-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1136-583-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1748-212-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2524-217-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2532-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2532-582-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2532-203-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2532-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2868-488-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2868-209-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3152-204-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3352-210-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3512-584-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3512-220-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3924-24-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3924-489-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3924-19-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3924-10-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3996-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4052-218-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4284-214-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4676-206-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4676-99-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/4936-207-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4968-25-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4968-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4968-18-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4968-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5040-213-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5056-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5056-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5092-95-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5092-89-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5092-205-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5152-423-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5152-483-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5236-585-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5236-434-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5332-446-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5332-472-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5416-590-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5416-460-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download