afc07aef06f679738c460fdfecaa5af9b41ffd2b22e1449fb9dd05f76ce8747c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
Size

4.6MB
MD5

5502dec1e0e2ca39d9df81a8bbf13ebf
SHA1

aa7147b6c114f352127c8c6da7f88440f6f2eb55
SHA256

afc07aef06f679738c460fdfecaa5af9b41ffd2b22e1449fb9dd05f76ce8747c
SHA512

429f23cd298cf3e4907a94ab935a6a63ea660eb8fa8c615c0c197895a3bb38be7430cd09b89f2cfc050cc492e1e176b8fa3c92a1d8e1ed9cc415f5ea7387ced8
SSDEEP

49152:5ndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGi:F2D8siFIIm3Gob5iE+xB7nmoO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4292	alg.exe
2228	DiagnosticsHub.StandardCollector.Service.exe
2784	fxssvc.exe
1800	elevation_service.exe
3472	elevation_service.exe
4932	maintenanceservice.exe
1992	msdtc.exe
3696	OSE.EXE
2064	PerceptionSimulationService.exe
1896	perfhost.exe
740	locator.exe
4656	SensorDataService.exe
4496	snmptrap.exe
1968	spectrum.exe
2384	ssh-agent.exe
1784	TieringEngineService.exe
1488	AgentService.exe
4168	vds.exe
4136	vssvc.exe
3644	wbengine.exe
4956	WmiApSrv.exe
2632	SearchIndexer.exe
5732	chrmstp.exe
5816	chrmstp.exe
5908	chrmstp.exe
5744	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\92d420f4b4b1389a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c2ba7fee0cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000085559fee0cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095d88efde0cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033d96ffde0cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000138afde0cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1280	chrome.exe
1280	chrome.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
2228	DiagnosticsHub.StandardCollector.Service.exe
2228	DiagnosticsHub.StandardCollector.Service.exe
2228	DiagnosticsHub.StandardCollector.Service.exe
2228	DiagnosticsHub.StandardCollector.Service.exe
2228	DiagnosticsHub.StandardCollector.Service.exe
2228	DiagnosticsHub.StandardCollector.Service.exe
2228	DiagnosticsHub.StandardCollector.Service.exe
3080	chrome.exe
3080	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1300	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
Token: SeTakeOwnershipPrivilege	4736	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
Token: SeAuditPrivilege	2784	fxssvc.exe
Token: SeRestorePrivilege	1784	TieringEngineService.exe
Token: SeManageVolumePrivilege	1784	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1488	AgentService.exe
Token: SeBackupPrivilege	4136	vssvc.exe
Token: SeRestorePrivilege	4136	vssvc.exe
Token: SeAuditPrivilege	4136	vssvc.exe
Token: SeBackupPrivilege	3644	wbengine.exe
Token: SeRestorePrivilege	3644	wbengine.exe
Token: SeSecurityPrivilege	3644	wbengine.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: 33	2632	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
5908	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 4736	1300	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe	80
PID 1300 wrote to memory of 4736	1300	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe	80
PID 1300 wrote to memory of 1280	1300	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe	81
PID 1300 wrote to memory of 1280	1300	2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe	81
PID 1280 wrote to memory of 3440	1280	chrome.exe	82
PID 1280 wrote to memory of 3440	1280	chrome.exe	82
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 4804	1280	chrome.exe	106
PID 1280 wrote to memory of 940	1280	chrome.exe	107
PID 1280 wrote to memory of 940	1280	chrome.exe	107
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108
PID 1280 wrote to memory of 1404	1280	chrome.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-01_5502dec1e0e2ca39d9df81a8bbf13ebf_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc763bab58,0x7ffc763bab68,0x7ffc763bab78
    3⤵
    PID:3440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1924,i,7868336508489777670,16833347508554418598,131072 /prefetch:2
    3⤵
    PID:4804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1924,i,7868336508489777670,16833347508554418598,131072 /prefetch:8
    3⤵
    PID:940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1924,i,7868336508489777670,16833347508554418598,131072 /prefetch:8
    3⤵
    PID:1404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1924,i,7868336508489777670,16833347508554418598,131072 /prefetch:1
    3⤵
    PID:4892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1924,i,7868336508489777670,16833347508554418598,131072 /prefetch:1
    3⤵
    PID:2532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1924,i,7868336508489777670,16833347508554418598,131072 /prefetch:1
    3⤵
    PID:5180
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1924,i,7868336508489777670,16833347508554418598,131072 /prefetch:8
    3⤵
    PID:5376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4608 --field-trial-handle=1924,i,7868336508489777670,16833347508554418598,131072 /prefetch:8
    3⤵
    PID:5552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4372 --field-trial-handle=1924,i,7868336508489777670,16833347508554418598,131072 /prefetch:8
    3⤵
    PID:5196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1924,i,7868336508489777670,16833347508554418598,131072 /prefetch:8
    3⤵
    PID:5536
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5732
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x80,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5816
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5908
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1924,i,7868336508489777670,16833347508554418598,131072 /prefetch:8
    3⤵
    PID:5632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 --field-trial-handle=1924,i,7868336508489777670,16833347508554418598,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3080

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4292

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2512

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1800

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3472

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1992

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3696

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2064

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1896

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:740

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4656

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4496

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1968

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2632
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6044
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:6128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2959c7dda31b6bb6ca557c48fc3838b3

SHA1
cfd94cfa04a751352b3c792aecd47300b08bb690

SHA256
f21e98cfc8f53147b92470927eb7470d62b543fa3098505d5bf1fbf5564c5566

SHA512
cfa62cc829f7f734ec7bd2d42ce80e02d9dc9d2ab03ffb5196671ca282a41abcdd63e6846b477765ae4ce8649e73563d36bd22cf9d17c955d5fd70de9ecf38b5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
83f26c97a38c30b0166f61032fe9b520

SHA1
33117ca2f830fd4a6be848a761ab66f1a6da5fe6

SHA256
36a34eb6713f830000c3a5ad8bb78708aa50caf0bff6fb48c12a7b05687bfd56

SHA512
a07ea00455e5b95b2f94c04c488903f9063696d5584df57888a977889584f14dd2adb7cfd60897547973b2328377cc7a9d7c134f24e3cbb811fcc390921cde78

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
79672c916184c9e7768adc36ae5455cd

SHA1
eaf939ce0b26a4ef8caefd17643d6aee2497d3cb

SHA256
6d2c71f1fd87bafd34da4a0c4208695a3c384cee2f7f7dd3d46962ddc242da45

SHA512
b0ed9cdab8d66130f769aa1f13dd015f415b916c633af20cc541eef74990e473b8ff10b5fb9a1874e96208fdd80ae162f732e452bf94c60da07008b38b482647

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
72592f24332dc68a1287725214a7db04

SHA1
e6c8e66c676201a76820d8bfb15ce286e16488fe

SHA256
2c7399b666f64b9c31874ffbb0c353686bd1e046e2d3c524a784de169ebc8403

SHA512
ce1a6f077d80fff158b80b7a8f121a7e459293ae1582959f6423518271a63955f5ce8796e5a0a34baa92b8c767b80eaba9ffc2b35515cfbb1f0c6980ac3f1b9a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
19507500684f10e16685bb504c7a55af

SHA1
87f0fb08f3e19f8a55eace28937ccdaf4b6fef1a

SHA256
0f4e54695f04af93e157be6d39bd440d3899014641c2d1f72b08bc3beb2f6cdc

SHA512
35a7cce924d59c699155bc63dc5cff2790a4d1730997e51e2de50716a50dce12744291d9c3fe81b45f033c017af5dadfd0a71e6012664796d8e1edd07f77c5dc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
54b3a58e0a8a983c7f3d589fc905c14d

SHA1
0e80d5ddb5a29635abb3d89c5e3370c28d1570bd

SHA256
79e1376c690e0045478b56fb1a5acd94d223b767a4ae6e11bb9c19c5f4c6cfcd

SHA512
cd339feb3053aa92ee85b8923aa538733d66a0242ae4397475ce8f2db5fe9f3d534de4b5ad5f5b6ccb5d924f79d95ff974a1d0c609a0e1ef3989f9270b2084f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
4ffa8699edfd9a1fa1a61d8c8231583a

SHA1
af7ec6f105890158e1cede5a5114868cb03d0299

SHA256
d6d5534f3a4e88deb7d5df13fbb8f43db44992a0e2a0c36949f8b9e469798728

SHA512
9f117cf74c6d127a6f6a766ce1266557304a6add25313e69bf966b7e9a43503f478b774bd8e304ce6013bfa2ee816ef351775d2b69218e3f5027c96a079259fc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d9f07408ce3e9b83f3896e3d0986c673

SHA1
405b2cac02ab8933374df362ea1b383562f67356

SHA256
4641d55f549c4fcfc9ebacce3d9f95e42f01ca9c7b1e2bcf1464b1ea2de424ab

SHA512
237e23399cefffae4a9038d83c9999fa1fdafc182898c80d420b65fbe04f7e6602529957d11ede6dfe7cecc5bb3b081b259ea7706b9e0b4374dc692040444ce8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
85cb33872c7881f1f13ba372a9098b02

SHA1
b38f9396c126899ec0e9dbd5b63be69c795f934c

SHA256
32d7473e14dd874717609e4f96177cbaff81da1fc0a42fa28ffc2550a2106205

SHA512
03daddfbd4160b7684b4b9743ca0b19a622fb4e3994d399197189a7eb8a216f545c921878ef1484d04e64e538b8cb1c599624c7422f1dd7d26b93510fd7def3c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
86923ca4dbdd83ad04dd525e686f63df

SHA1
e33b59ae585c6b6261cd5024e340dc97274733ee

SHA256
bebcab5cb60fd519f8bd510ac43d57572b8d3bf4dbff0982301b635fb87ab58c

SHA512
1913d6917bfcf5efbc2a32dfc548092296acb6c044db6101019825d1e5505589a1e30d584eee1685f94bfa5955c54bc6f9999e1fc23fbeea38e8cf8fd832ff18

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9ac7d293e48722a4663f3bf779176177

SHA1
dc48135db0910d277aab7dfec63a5e12e0fe77b3

SHA256
4dd6989c7ddcc786449bbdd8723cb66c4c93af914b45e8eb7056316d22e6dc51

SHA512
66260c66d48d07d735648c08b7d2d0938befb51b76a2b2007a44523a66e700e08f0f3edf49dce160ce76d6f457ad2fe92d36177531aeac2960e942d47669bf7b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
972c68e7516c797c46bbffac1b4eaa5a

SHA1
7ea84ad0e263c87149e12d5b67dc46267f4255b3

SHA256
fd17b20d1462f643886fd8d3e277ff8ea21a6f9f62fbaccd540c3d2c4d9201f2

SHA512
8a040108116d09dd616e9536f9305c11c9c978d7fdfbe07c21f930c7c0fd505ac1b18a0967810e773a352786888e54a6dbda04522573262d5fe61c29bdb753cc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
04fd1ff2e97442c81b7a48f897c1b638

SHA1
f5da584f8c1d93447ce8cb972e2ca4d515ebb9f9

SHA256
813900dc5d2ba4e2aa56d51bbe744aa9aea9006e2c2937b9bd147233a01cd33c

SHA512
97c01a36018ae1d0fe3f0b7da6c384ecdd15e0cecc8bba1da27250db5360d68a7fb2f1af9bd393cd9bdaca511b56880075657431bdee39d9b83ee66c2dc3c143

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
07ceb393f20904d857046e8bace63ea2

SHA1
4f7a01454a9462f1e22e7a92ce3e801142d3fb5a

SHA256
16993f8bebc5657a8233073c0f2636b3d64b9f0c0d3b93e5cb28edd50f417c60

SHA512
34d1b0b54cee0ae673595c29dd71a475c40380b8dea05411841aa95f1903249a4fbd2f04181ac9bc6a82e32ebd525b2faed5a27d7f257123c042625bc72f1012

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
e3e0c82b2abd9862f6fbd2de4ed9f73a

SHA1
aed6b706098bdac2fd199bb8dc4b21f581a42548

SHA256
76ff3720c9fb9c8b7302dfc36bb90d46e028fd9f76b11fef441de4578de6eaf0

SHA512
6098732e3c4cea8a36ecbc5c1ba2ba4268b5a1ffabe6cd89f8d81db7269d9cdc903cc016f021bd82d74ba6579d9e502965f2d997cdbba8a2644105a92f5627fd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4dda27189c0f03147c1d830aea40baa3

SHA1
84953708e159c1798c15a1fc92789db1c4ffa564

SHA256
4094aae4b439084c6c855374b906eed0ee8274d2c222a913214a98b2cc99e4ad

SHA512
7ec442b994a6e1c2edd653a4389c95df02241e4d3f795112bc0551c9bd193ca1f43d229ea544f83fb40c5d5cb107bfcea253c1f24af7bd441fc7bbd3d3b4e959

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\67a8dd90-f21c-4714-9615-c58d677d6557.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d222783a5b6cde84e753c89622b2d2d2

SHA1
eb0b105bfe23091a8f678da20b1e6dfdfd255d68

SHA256
b3b89d5f551db9dd7e30f51d10cafef4398e3e6edb0a19570048bf3a67032df0

SHA512
cfa3284bb960bc097ca2c453ec77b7eedc43d25be6b713c5f5cc010450aad746703fd0c60d48500fa50b74e0504f37b9bf14350f942ed91fcd266fe51eb18059

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
2cd879c3b1b25f881f4b7ab71b67a095

SHA1
e8c477526bb5bdddd659fdd44606060d83e703ad

SHA256
d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a

SHA512
95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
24a1391dd36110532de466642bfe84ac

SHA1
57e808f9068847df1ea7c67c6478aee633987e91

SHA256
89bda0b1c20bc912f35bb87f3f31b882dbb58339a40388cde45f6e60b0646355

SHA512
752c490e5ce75eee18d40e4480b8a2d6f610ddb6c265c6d1791179d6c3ae88c364e7c324251325004c52fe93b8f84ad6b9d013809f9abf8f8cf2658677adab8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c93827e587da035245860edded439e3c

SHA1
18b63e13aadc6ab71a0947b68dc76a569e162da3

SHA256
dfae7760152db899d37f7096cb50e1307f1b1e03e4dadcf59d87c28af9d952f7

SHA512
8c9217532a53390395941612c85e6ac1b5bda0c5215978d06a281f5b49ea57997a96796402b76ca6d5144d5b3b95b989e0fa73b8ebcc03c2843d8958f66d0980

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
31e48bc8f1dd237f721c83d627917e32

SHA1
1ce55e91c1eb83b77860e96086d0bbb2ecfb15b7

SHA256
c431eab558f5b5ece22651fbd875acbea99bad4fd1c59e541e51d041f01f8b8f

SHA512
7c3de91be3d889fb5167c9c64f7ba524d9199ebcf4f0f85e8aca4883df3d808a1c021f55a4f3213d441cdff1023fcb2d2d9ed457d609942ce4354ef085366bed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5771c5.TMP

Filesize
2KB

MD5
1f497c78bb1cefe5fae1f2d3e5c467dc

SHA1
12ec3f79d43fc239252d3812f8f0c2edc492bc51

SHA256
e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc

SHA512
f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
dab5adab113f8005c46507ec66ab1ead

SHA1
0d0964dfca313d14fa6ff44129931c0057a9480b

SHA256
b285a30b923b3a78211ae54474ba59a64b1f605b3b19a727e77708299788c042

SHA512
33ed4e02f1348273cfdb5312d0b31cf381661f4733a900fc740d5b902a017671bf95fcae5e0b0f078d1a61de436cc0d4f14265a6a21dbe0834766a18fe74834e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
269KB

MD5
272e2f660e6e1f5edba8bc8f6ad7bc52

SHA1
eb7e579c92211c034217f03bdafe9b06506bf220

SHA256
3d81f7e4ebf28afe64ed35050a7008383b17a3515838d74a339d9944f21a4ca5

SHA512
a8d239cb744afe4671d5bfbd1e6a1e3bef4ca9eb9d22ad666dbddf7bfa0ff7f4f3760b40471bea56c1dfd564a3411a058dce8fc9bec3dc2bc52307f625d39cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
9b66e21ff0513e38db9cbd8d6e338332

SHA1
3ada3ace299480dfeac9f17ff82d86c3a5f4a2f0

SHA256
3955ba5c1f687f00db4e5f2b8d3aecfcb659348e873e0fd82a4f8c935c37cf80

SHA512
09ad0ea6846b52ea3728b6ceea358c2cb6af1f55cc28c4bb978972f45db055c81ee4a7d1de01bc27c6d2edcd7aab45f071210ba768569115957fe08153edb3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
af7dd40801466dbd02ec758574948707

SHA1
ef882cb6772fe9ef48da5af7183d7dc30f0e12ea

SHA256
2c51f98e11d737dc9292756728c96815f26014d058ee9658192fdc63aba7bda2

SHA512
a4b6d78b2755839a79cd2a23982ecc98036ec7f948d7598fe597c0184da72cfcf8bfa781ba93ec07f2382a48a6c0c1362a206f7c7163ce86022462e1f58c1ab1

Download Submit
C:\Users\Admin\AppData\Roaming\92d420f4b4b1389a.bin

Filesize
12KB

MD5
84701b9cefde8aa44cfe5b20948e9af7

SHA1
2eb476290c49d9a440e8eb6a11c2c9f24536936a

SHA256
717d34d49887f52d4e6c604620ed943462861dd23f2c83755e2533ccb258b671

SHA512
d82eca67ee4bb71a68a60468404ed40f2d85a442b3389a7d40e88d6f0e9b21b533a82562c70640890bec23a580baea894f53aa04c4c900a1524920e993b556c4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
8e8e9b5fcb3f699e86f7bc21acd0e923

SHA1
5500ac0d3d417b580cc6ab989fcee5fd95418136

SHA256
53d067fa38d051484c3b4647bf8bb30b603c8adc148e4bef82635f0ed252b56b

SHA512
6d9421333dc657b41e771303b120acc04ab40c533c77c75f58ede3ed3aa6219cebc4b3fd8c6474e2eb88ea2328c40433e439c3389c57725a10f591639eff1c90

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
95b03db4dc4b5d27d9738b2d91a876fc

SHA1
2debe9121e5c1486fceb8aaa9cda06c58798240c

SHA256
7c99310d75a56c6f9a1d64966472db44db1d7f7bcc419df0125b33d2c086d349

SHA512
7124905acd394b3544fbe65c9a37cfca0e3f93b802394af6909e51fc610b350eb2347bbc3d706de8a7f2fa675ae36e26507bcfc39a965cf1d358460183a7e975

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
91dd2abebc2ad4f777fd06eaef3d07aa

SHA1
20d1bd3c852e205a93002c233b1a1dd786c2756f

SHA256
3e4915f88a3efea045589a4c2faed549ed3815e9d50a8f3b6d42459fa638ca27

SHA512
d1dbf15e3f403f84f1bf392f8f1a7209371ab3ad717da85a7caf0b7ccd83b584975b591ad88962edef5a7e8119985b5546d29f54bc977e8bc200ddc406f56eeb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d5200f5609acc6a3b998732cf172c126

SHA1
cdded43cbc4c8b1d0beb6ceecdaa48d029a15529

SHA256
46ec3192d2377550e75fdf32be8cc99e538802d2a653d463896f1cd2686c5ead

SHA512
39c29547bf1609c05b850ac890da4b0cbf895a51ad5c4ca8152a19cb1f4c527ec30d03700b12f5148d9bcb90754fed93a319ade4d902ec76cdf8becc40d8238e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d2cf85ecc31b9ae2047ffd44b62f6fcf

SHA1
82d3c8385c8041bd7a475cc13475b6177dbd11cd

SHA256
b4445966eec05f2e50253bce54ba115055385cfb2d25d2688ad8a2e604c1ce20

SHA512
902afc59011179bdde5fbf8378620d4afc5b1cfcbe1001d30caa1851e5b0d51113ff54057059d59c58679b7b65b86fffe1feac4ff4ce40b909df993a2eccdba5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
fbc6c8600c6f15953b4ea4a80a0ad3a7

SHA1
d963ff37caa41b552e36de94db65dda540270e2d

SHA256
8a50c89cdb610c3fbaba6372205936951cdf9dc3f2219a801b16737b1cd5b361

SHA512
f556bbfd132c94f637fe14bcd01b5b4b4f817dd4e7b4fdc4f74ef69909b47d7134d71674f7ef13cb7cd64114dc80be319f3086c2200b36733871b69c92f3320f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
34b136dc52bb2329f8fd9bb047f31b8d

SHA1
7a8d0e0c623e68c5ef30afd1821c28d9f2e5270d

SHA256
e8ef0dd724dc8f0499d76be49a09f52646ca4ac862099bd6cb85cd6a30e73502

SHA512
f566d242820bc101df715e23d642b141815e1e71bccc8708642443e9fb5b31027c0043adb067fcc5a54187edd6e8e568b16accd7db6945c559f24374186569bc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
43dd6376884f7260bf3dc60014643b7e

SHA1
23f39b0bd8ecb16940dcf9c7150dd94c9c67e32d

SHA256
12fd0667b77e5697feaabd9f6f968beab90a226934dc3b34803567932a64c2e5

SHA512
e88aff7601e14f192444a65bef1d8cf83316ae8d3b771d0f6daeea14a9ebc4a43659e7ccd41c772857740e4c5303e0be921e7567edee27a652a11296052915f7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a472bce2015d9bf5c25425fa1701170d

SHA1
d7789483f3b55c1c2e0f1d8dc23305e60781c86e

SHA256
f2b89dd1116c8c6352360abeef144ba00c1f7f844e0f53e55bf320f04a51a736

SHA512
b5f61e7bc2a36ffd902687e60e48fe5b278d5954e340dbd16b5f2ff5a5eb4a49e0db9c21f7ec51001d6b78705478806af38de260afad2b6e01a6dee6f0ce96b5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6e87e783d7d7c288d0e39c6e82761090

SHA1
31d66562a8b1642ec0d060a20dd83db36040c5cf

SHA256
5be22230be4af10b29480765faed19a98245862b1c6b080f8799b31cc1637816

SHA512
6b8ced5508c83c2076da72e97026f7371dc972892fe5cc34012662b38ed6ef7a7d4bb46c6a60d63b6b33d339e1b9c8a3bdec6ef884e535fdb180ee45cd4a6cbf

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
f54fdde816149aa40cdf7034636a8e18

SHA1
2afc7ad01fba94f802cbb6e8a02be9059a481ee8

SHA256
581fa047003fff4bd6720b13d564dd62eddeb7f00fad65f83a9ec61a514202d2

SHA512
13398114d69eadd9a0882ff0d5f86a689673254a41a6ee52519b6126cbc7ec93f31fcb83a85cea259119e6d2fea12509cca667c466e7b609c218500dc3510f12

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e7095eedda53e4a4ff9dc065b16d5c49

SHA1
dd2a83183a36cdfc04a4866087812543c3121233

SHA256
da379b7f80b587fe90076224d47bf92e129c9dc5eadab76e7f439ce14c154065

SHA512
469af727d33c1b4686aca985a8b18db17f1322e5bdb7c1a0c5b9746fe29c15e38d02a228db454e19271b9eea243a39dcd169b0b8589cc714c1f303809a0d30ea

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
bb5b3acd8bc63ec8669095f08ec82224

SHA1
0534992c4e639b0895b277b6f1ebb0ecc523bac0

SHA256
c1e8b9f2c6818c97d7f461d5fb447993b25c8079bbf589a0fa40f75d83a21722

SHA512
5596032f2f6176faea0f35d1d0408158c2f399a06719c371430c8edc08abd132c355fe6f4edde52f9986114823a0e225673406c50d8edf783b066313b2b215ac

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a8c36da4eca0b93d02a76fcc868f6168

SHA1
2bfc525abb4e900f0a6dd15e80aaeb466d03fcfc

SHA256
be627a51c0439860158d258c1ee2501e896b4c448f67ee71f47901ec8413da53

SHA512
c501f5364b3b69112d32a886703c89702b16f7761ed493653784d988c2707a67bd2f883bca856a509187ee777db179a158aa14c338a4f78733d38ea9efa0fad9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
eff67751be18951028975b96f9bcc3cf

SHA1
bc48b4a3f593b06eaef271f01ab3889727e348bc

SHA256
309e4ccf756b1e6f29396b1fd070b7ea6ae5fba16ea8262642b174a057c3b19c

SHA512
8eaa9d6402cbd78fcdccef24082e266c51c2ee7cdd88e66fe4290d82c918ffd5721628a9cb62a62b4facee0abc4d04f0f304fd26b9c7eba158e7fb96e8a5d7bf

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8aa90764a5165c3e8750f01589d9f13d

SHA1
1f6cce7ce8e5fa4102613d192679106ea8624d5c

SHA256
024ba851624b6823df0d585ebb4f4f08a6a4c1172710283b748bdd42179cf29e

SHA512
ea81cddc813f11c272b032319114ab5ccc8acf9956d8841f5f653b554f72ece93391e3c7a32071c74e822be194b901c4988dbf8c18f1086bcc582426cd5d9062

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
cca922293df3264ec3524bb4363eca96

SHA1
0132238a240a6fd5cb7b0f75926f6d19bc9a9d76

SHA256
38cf415596374bf337ab0bbcc25db41a2bc3b3846e5e88cd0d9495a97c26dfed

SHA512
16c446a56274028b012f1ee0bf1449c753846e0932f5ebe2fc805f96a5c6ae1fa9f7f4282e4084cc0ce120abaf07cb5c71b9301ad4b4f38711687562c452beb3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2d89802de03fcffab245ddc4c42ec11b

SHA1
60d58e35d9d478216d624c94db4c22b1ebfb66bc

SHA256
d6589a3795c93b3755daf3d434f7e598723bf28fc2d1da89577e8bd1143f7d8d

SHA512
1201d8baa99b744cdd891ee87d800d2d9bbede12d31b459d124fa053c5aa2208ff59f1759bfe326a5bad3f12f8668cc93290fbb09f906383ada762ef9870a55a

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
b2c359ffd4bf582baf62f6e8adf87a6e

SHA1
8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79

SHA256
ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d

SHA512
1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a8632dc0d3553aca212dcde2676fa3f1

SHA1
e9362908f64a33c530d9f5edd3175cfc3a952a64

SHA256
f633acc6e6087a292fb6f2c0abfcdbe0b4808b21537ccc56a16bb86841a0c7fd

SHA512
d4973771f7c0f96be3c866506583cae9777d25262dfdcb891c34be0ae4c8cd0abbb40298a0c7d05a5a647d2d0340fd6b333d311c3c0353aac748113f5543b31e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
971672165d2dc9c19d4f2942cf18b9c7

SHA1
18a01e0d03e8ad0fddf75488e0b81e058bc50d13

SHA256
1a65f14e17059c7bc312df1392674799253d73572b741915e10832aa5213dc19

SHA512
12842839ac38a69f1b21cb2b469bb67e6ce721312eca1a2f61c594bfb2fb3ba9f532ff71a2e3403e447a3f622bbe60c5fbfa5eef291eb407fe78476cf9597494

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
a82afe7a72f813500e585b441158833c

SHA1
bf3fbcd7587a4f45eb2ae530d19e1214f29aade4

SHA256
ceddb367efb7ff8f6a9f785599e854934b7fb43746f56f3454e31eaad3e870d9

SHA512
dd5634598b9a748231cfb9407de624a9cd3a904317747bf6fef74710a5966fd3f72f0e024cacc1888eb7edf91e7bb296e6a2f4c312195b4a092e00d5240fcff3

Download Submit
memory/740-178-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1300-29-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1300-9-0x0000000001F80000-0x0000000001FE0000-memory.dmp

Filesize
384KB

Download
memory/1300-0-0x0000000001F80000-0x0000000001FE0000-memory.dmp

Filesize
384KB

Download
memory/1300-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1488-159-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1784-680-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1784-183-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1800-56-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1800-50-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1800-251-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1800-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1896-177-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1968-679-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1968-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1992-102-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2064-176-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2064-106-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/2228-43-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2228-32-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2228-41-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2228-516-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2228-42-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2384-182-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2632-684-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2632-198-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2784-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2784-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3472-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3472-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3472-667-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3472-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3644-195-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3696-93-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3696-99-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3696-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4136-682-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4136-192-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4168-681-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4168-191-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4292-515-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4292-40-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4496-180-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4656-636-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4656-179-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4736-461-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4736-10-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4736-21-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4736-16-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4932-86-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4932-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4932-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4932-75-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4932-81-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4956-197-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4956-683-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5732-490-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5732-427-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5744-686-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5744-464-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5816-685-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5816-437-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5908-452-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5908-479-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download