72f9381794449071c705d08a8ba6de38922ab4322215f18310ebfdc0f2a573b0

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
Size

3.2MB
MD5

e74c470f0d96f676c6c4ec5050c572a5
SHA1

be451a9c79e750f8153b0023315a3247065b6057
SHA256

72f9381794449071c705d08a8ba6de38922ab4322215f18310ebfdc0f2a573b0
SHA512

4042575dcf47e4ffd63e74a335112823875340a5c53c171aae9761637b9b6127c1b62a6c78629431aea8b0c1cdf58946814d4345f23dacb25e251f286ef4d50a
SSDEEP

49152:Y5k1YCdptya507NUUWn043oHS3fTIYwVq1/xT3DDbw0TUqy8kQ/qoLEw:+NhSMYw8yEqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1096	alg.exe
540	elevation_service.exe
2600	elevation_service.exe
2556	maintenanceservice.exe
2156	OSE.EXE
3928	chrmstp.exe
2412	chrmstp.exe
4164	chrmstp.exe
3756	chrmstp.exe
3376	DiagnosticsHub.StandardCollector.Service.exe
4180	fxssvc.exe
2580	msdtc.exe
1052	PerceptionSimulationService.exe
4400	perfhost.exe
3272	locator.exe
4948	SensorDataService.exe
3084	snmptrap.exe
4916	spectrum.exe
540	ssh-agent.exe
4384	TieringEngineService.exe
4600	AgentService.exe
1792	vds.exe
4112	vssvc.exe
516	wbengine.exe
4308	WmiApSrv.exe
4944	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5d79c918d8c8c63e.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_112359\javaws.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_112359\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ccbeae85f87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce83e7e95f87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f54f32e95f87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004188c5e75f87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000334056ec5f87da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f8e49e75f87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf6742e75f87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2520	chrome.exe
2520	chrome.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
1468	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
4616	chrome.exe
4616	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	448	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeDebugPrivilege	1096	alg.exe
Token: SeDebugPrivilege	1096	alg.exe
Token: SeDebugPrivilege	1096	alg.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 1468	448	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe	86
PID 448 wrote to memory of 1468	448	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe	86
PID 448 wrote to memory of 2520	448	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe	87
PID 448 wrote to memory of 2520	448	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe	87
PID 2520 wrote to memory of 4344	2520	chrome.exe	88
PID 2520 wrote to memory of 4344	2520	chrome.exe	88
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 928	2520	chrome.exe	95
PID 2520 wrote to memory of 5044	2520	chrome.exe	96
PID 2520 wrote to memory of 5044	2520	chrome.exe	96
PID 2520 wrote to memory of 2376	2520	chrome.exe	97
PID 2520 wrote to memory of 2376	2520	chrome.exe	97
PID 2520 wrote to memory of 2376	2520	chrome.exe	97
PID 2520 wrote to memory of 2376	2520	chrome.exe	97
PID 2520 wrote to memory of 2376	2520	chrome.exe	97
PID 2520 wrote to memory of 2376	2520	chrome.exe	97
PID 2520 wrote to memory of 2376	2520	chrome.exe	97
PID 2520 wrote to memory of 2376	2520	chrome.exe	97
PID 2520 wrote to memory of 2376	2520	chrome.exe	97
PID 2520 wrote to memory of 2376	2520	chrome.exe	97
PID 2520 wrote to memory of 2376	2520	chrome.exe	97
PID 2520 wrote to memory of 2376	2520	chrome.exe	97
PID 2520 wrote to memory of 2376	2520	chrome.exe	97
PID 2520 wrote to memory of 2376	2520	chrome.exe	97
PID 2520 wrote to memory of 2376	2520	chrome.exe	97
PID 2520 wrote to memory of 2376	2520	chrome.exe	97
PID 2520 wrote to memory of 2376	2520	chrome.exe	97
PID 2520 wrote to memory of 2376	2520	chrome.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb30249758,0x7ffb30249768,0x7ffb30249778
    3⤵
    PID:4344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1888,i,17861178701919237850,7597717654710808538,131072 /prefetch:2
    3⤵
    PID:928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1888,i,17861178701919237850,7597717654710808538,131072 /prefetch:8
    3⤵
    PID:5044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1888,i,17861178701919237850,7597717654710808538,131072 /prefetch:8
    3⤵
    PID:2376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2856 --field-trial-handle=1888,i,17861178701919237850,7597717654710808538,131072 /prefetch:1
    3⤵
    PID:3352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2884 --field-trial-handle=1888,i,17861178701919237850,7597717654710808538,131072 /prefetch:1
    3⤵
    PID:4960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4588 --field-trial-handle=1888,i,17861178701919237850,7597717654710808538,131072 /prefetch:1
    3⤵
    PID:2480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1888,i,17861178701919237850,7597717654710808538,131072 /prefetch:8
    3⤵
    PID:4168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4900 --field-trial-handle=1888,i,17861178701919237850,7597717654710808538,131072 /prefetch:8
    3⤵
    PID:4312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 --field-trial-handle=1888,i,17861178701919237850,7597717654710808538,131072 /prefetch:8
    3⤵
    PID:2960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1888,i,17861178701919237850,7597717654710808538,131072 /prefetch:8
    3⤵
    PID:4376
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:3928
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x2a0,0x2a4,0x2a8,0x29c,0x2ac,0x1403b7688,0x1403b7698,0x1403b76a8
      4⤵
      Executes dropped EXE
      PID:2412
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      PID:4164
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x298,0x290,0x294,0x28c,0x29c,0x1403b7688,0x1403b7698,0x1403b76a8
        5⤵
        Executes dropped EXE
        
        PID:3756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4072 --field-trial-handle=1888,i,17861178701919237850,7597717654710808538,131072 /prefetch:8
    3⤵
    PID:2304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3884 --field-trial-handle=1888,i,17861178701919237850,7597717654710808538,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4616

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:540

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2600

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2556

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3040

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4180

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2580

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3272

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4948

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3084

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4916

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4008

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4384

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:4112

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:516

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:4944
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:648
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
78ca5124ed9b61d6c33ba0b7417d0620

SHA1
52cd64291194ef552878b9460b9a446e1b46723e

SHA256
3b06ac18172538f4e877a365cad62cd12e3b74f8f3819032f2a71919987b2696

SHA512
84ff6ac0236ca35fd3bd6a41bec4f76ea032fe8ea717c2b08fff00d2981db0360fb01e426c927f0ea79a3fe7330b80c92d40ac100b3da2206e93804fd40a167b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
bfa2a1cd13372be5408683aa0db9bdc0

SHA1
adb059364be28b34c89a75a6d6fb3f124744f3c2

SHA256
e91ee4dc3e9bf8a68a4542d465adf75945a41cf90d44bbc3ebc0dd99459fc62e

SHA512
1afc76661e6d99510814d5f558f22eb79ae842f8adec637f0e3e4c23fe559aef9bb4bd6bf803d1bb11dfa931a435ad40aaf46bbad7a2931dd1fe72d96377c64f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
446510a37b3f693072f421a0a77066cd

SHA1
d9ca44347a575df70ba25377fc5282b8d8872bf7

SHA256
79a40a67fcf2105c201a28db0bd6fc3bacb8f78453151fc4f8f47d94a7a3eb18

SHA512
dea034c4343236621a2af72ccccd652cf7d372e3cdef24c4e16f4dcbc8c7ccf83917a1b2eabaf4462e66aae6f3ca9f3a5b6c7be6e7fb9199df49862107ee7957

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
54a20ba1dafe4029180485022b708b25

SHA1
3fe7200a92fcb15ef82baaf69981a5e319197c07

SHA256
57fdc50af2e5db011594759092dc9aa681dc8bd3ab62d110e3cf09f6a36324da

SHA512
ddf929b264862c83b0b1853ffc3ea8f3ba8ea83aea48ae973eb90869274330a6152e6695a7b75b926c7ce4b882fbc21c204c5ba27a1f23ba904c0ea9ce211914

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6083067732786ca9f149b848ca5f1ca1

SHA1
f7bac015a1b02da4db4c6272753c9d906ff8e8c2

SHA256
c930d7fcd62c3c3f31d588e8b420751c2ae25bc248f1de8ea43057af89485e6c

SHA512
e2a3d4a0010880c840cd9b3bc660995d9cc374236490de856bade0f3d306747feddac00c41bad1d912088142cc1807ab29152bb981e4269c3f5af57c1100d654

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
caee25f2d2169919014fe2cf253dc59e

SHA1
3057d8f341a73788046573c152328809cdbd4fbe

SHA256
dac7a0efe664c1d0094b55cadef0964bd15c747a9906779d59faa9d18ca72623

SHA512
73b474011f12c2a605d8acc30a91e28e6b4f47a446214c94831a9a9a67175da65338c8cda9b52e596aa42457c205bcaf21078732d1e415556bca7ac4a5c36ea5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
303c4365c09014b656696b1ce4b4b78c

SHA1
a290089c20a259f8425589357f19caca137aa9bd

SHA256
b6cf6d99b5d8a913c5ae935759edcb42230dbaf7fc0fffe73ceb973b189c1625

SHA512
ef562145145ffb74f493db2ceb9396c3cadf2670082d0d99a125e8461361c56e8a2bcdf6cf4d688b6edc95e32bc625564aeadb52f4df30d0b1db26a52e5abfad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
db1b78fe9d5d6702fa4ae1927768a498

SHA1
fe1ea10033ed66abd46216cae681f5b6254a4ff2

SHA256
46880beee093d5b3412f0373e6d6c46da54901b03283a82895b92d0ea2ece269

SHA512
6340461dd74fb99959fe2c509375a6da28ba8bc049eada77d927d236fdcd30bb9c7d7907137b1300fad219bb74df71c914482ad4a8144726a970f7dc885caab5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
0ceeea256573674ebc51c22c1fe9f88d

SHA1
78b0184979e70b651e088848d0b47712268762c6

SHA256
6d0c28d2de771382d5c7cee0f0dc72d6ec09b305c3b66214b197e7ed406f3c12

SHA512
0d1ba150f6c5c7a4ae91eaf8ed2498032bf630ba3ba9f9e8d28d27be1b99706df0fdaa5ff970ea70688522b1df884f0d94189067d0c0af220a0c5b4d01d4947d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c121b4d07031c498eb42e1b2e21f93e0

SHA1
7519439557110553e2c065bb0d6db8776ad7dbc4

SHA256
fea1b3450cb4c902ac545d4063b4fd98b93a7afa51e09558a2bca8ddd08e0b16

SHA512
41cffa2e8974b5a06a46ee46e4993b79edcacb019de7bb6310daa6c9750442fede890dda39a1e0091a65b6ba471683d78cd9919ca67eda71d4e2f70009e277d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9a6af10487a36827116b861b6c635ec4

SHA1
1bc2ebd3afd48eb1610deeed45681c8f713e27d2

SHA256
53d5ce77ec3b257a56ae502e05362e93fde39280317a37e1ef417bbb005bfe55

SHA512
04630935d1819ac1055a0a4de27f44091fbd5913b25a4e2aef4b14d9be76a4bd98dfd590bd100b52948dee95e1179103c656d74db546e487a3a68728562cb025

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b5fde57023ba2297df62b54e6c2e484f

SHA1
075552b5fd8af43f9b3e959fe9d4fa7cbf5bd576

SHA256
4189435201832c35a937f7ccf9ec0a3bd72a3705f793a5a03e3d5ff0bc10d794

SHA512
03d1e7067e44d2c73b32f18d4dd166606346fc61edc164ff5b34d28655aa1c5b81cb249ec10c2982222153da45748d4be6e303dec951528f48c5fbc0bf4a76d2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
065e60019882fdcfde03d0dbb52d2cdb

SHA1
89713cfec6e64a33d627971b350a0e5f807c7159

SHA256
25af92529628e071013cc3ae7efda7958c94b6a363d67b7760b24cd4f215e188

SHA512
6fbb8cbfd0252cfc60dd19c38d0ef5e6658a193cb5b23d2afbfe417769d1adc95d4a0edfb1a601e625cb7192b5b8e5bd6c965cce5fa3fb21f087461de9799f83

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
300521700da97cf58e9f58560b18dda7

SHA1
589c822d216ddf17ffec442cf830f99484c51c7b

SHA256
a22eb535bbf1c69d7e27b108214605b20f20d1c3fdbb5506f62e9dea52ff6c46

SHA512
eb58ce67b42fb4fe27becede6fbd853ff54d4ff1772e855fb6ffd491ea5e5383d1413936bb5054ea6c12eefdb904395d9b3a699684b929de541ab6895ea1d2fc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
9418a1d5774cc4b88febc91ee975335a

SHA1
f43d95cf7b3f4bad79ad76c4d99e8c41cf53cad4

SHA256
4538efd90ad2a3fb93d8da91c0ee93b0e07875bbed37c00d9508bbd1950384e6

SHA512
8d2d6136e09755f64fc4cf38d167f6d60362953bda1ef194a6ca4b3f932fca323672011fa02583f52620fca3c34ce735c3edecfa2bc89bfd2ddf0f415288a12a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
53f16f9b9d69cc5c12b74e65765aa47c

SHA1
6a80ed6c7ef9b657b1b47b20d8de3edaa15fe9ca

SHA256
dbe99564dd497f1599476e46f978a797241e69d1f333bb2b60c2b864e080cbc8

SHA512
d2528a1a2bb3cbd1413fb56c2983a47a68cb4e972764b31c4de90f55f1855f658cfcc6d9c79b9ad6f919d5086cd6912cc901aa06b6c3f8e7e54a2f80761692d9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
d9d4d2593b5a352453f1de972f28b281

SHA1
58be9059d309731ab82af9b1c1d092cfaac68577

SHA256
4967f57798ab17700273c293164e6bcb6fbe02fb96c30c128f651c8d06358b7f

SHA512
46ee9a268139d947c369db6c7b58fb0cf092d8daf0818aaedf084ea5e8b76b75a3d7d5ad3ec155a95713c57e2bfdc9d23d68c84e2d4c6ecde8ec5b569bab5b4c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d5ca378525a5ff25ffd50048a3f91cb2

SHA1
542cb02a267b2fac92d6899d123fcd113325886c

SHA256
06f2d8bf45573e385125a7b0bafe1901a409d7f6372828a9e7bb4ddd3be489e8

SHA512
958d9a859f5171918110984537d483d21e3aac281f3c776e3b359a597e9c083037f619fbdabae1a7d32261e41700c62e46e4ec30b7bf676200facf7b82cb26b7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
34655142a123c608968214cad2e86131

SHA1
ad8f19d0b0a225edcbfe70f19ad06bdd5c753a3a

SHA256
3bcb4046d308a1df89bd713f65348b0bb4444b1d4e57eddaf0239417d749000e

SHA512
bd018f5d31ad9acf7deb37bb40e4039473242c4f1dd078a854ecaace130ee18c051b143a9f30729ad6b69a9d302693a2ce8ed8ea2998190f222454b90126518d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
7aecb3ef5ca7abb7cf7a89fb4a623efa

SHA1
8f60d28c48117552bf13448b1adafb7ed48f3ef1

SHA256
4588ff81271a44a7e07c10706163ec538fe3617d2a2b36adad61a2016b6cb8b0

SHA512
aae823da4df1d21036b7f1f5a78f3c43e18edad7a99ad130f05366cf9bde8be08b5f4c9f14dcd73b45fc4b57450588d870123ed429e97dbdd854feb5daaf071e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
3319ddbb5da3bbd148fb5659047e7de4

SHA1
1ea7588e88250241d832a00d8b9b3a048805360f

SHA256
e15684896a7932842d9f90d8821cd0fb8be4dd0053149fd15965d77ac1ef3f71

SHA512
35e4fdfb64d81d6cf7e5a04ac6bd031ea88220b107b2d56a9da6cf1890e2b2a4800f585ad58e4017dece2191b4046fd9bf8788b9b687e6b0f6500c331068e974

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
d918002608cf13eb35bfeda39e4ad447

SHA1
7f939d855cd90ba73f34dd40484dd02e6c5547d4

SHA256
1fb4e320dcaa90995330ca19ccaee458440582bba5b24f727a17ec55c58f9439

SHA512
de3ffa3c33b38ae4734d13a93c6da7925db214862a1e862ec1e6918a9a6f5544defec0f0a7cab150cf2c1bdbccc32dc4beb33ebf862086f1c5e7b8edd2d0e80b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
7f652922f004ed965b78a444360adb45

SHA1
c681cba7ca5514905f53cab070f45fcc549b8efe

SHA256
e888caafef4d1107a5ed6749cb7520e7f7eacb2b0f2cbac9f8ba4882167200a2

SHA512
f9f79f1360f01ded2ade45a14af8755f9d76d02bc82eb643bee7d1ddc196b6502047a34878e90706878e15ed25ba85b3e32cf0325e93f9a90038e429b87ec294

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
829df9c4695d01ba9a83a51cbc673167

SHA1
7c5d13a8dc5c28e41256e3f379017ecee9817331

SHA256
be9da8f092cdef0e44b99402af422371a9d9cc8fd8d692b71a31f4bb6cdf3047

SHA512
8234c90cba5d7f138d2f97c9d3219c858d44e443ec9e61aff8027aa92727b609ce36c16dde0b2b4fb8cb4c33c1508534c10690566a320b6a5675aa71e273c5a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
8a4ae9ab8209b604c6adf13af8a091b6

SHA1
ed98a4b13a63ffc6967e509cb5ab36c92c26d31c

SHA256
2b9b90cded9be13171a081ab95db49eb2c4cb8a6a08056f9eed31f7800578da8

SHA512
d3d3fb10fb81f7fafc7d8e22146d73dbfb860b6d1cb67e5ef0aa6e0b91bea2398aba7fa6a33ec323d024a886e748aa476d038350e70b5a119fd00812a634f2fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c4c2c3a62e901155e7a08ddf7167901b

SHA1
6d1aca5395ce1fd220efbd077d67c88f8fa587c0

SHA256
59cfb83f2a5b766bc33a4166367d00860c5c172f95ab42fd8712d30e3b177f1d

SHA512
0793a4869d49f4c41c56b4ff2eb6f3d5d0a704aa05f040a7b3aa12d2b0d9d8042f6a93621dbd4303888f18abdae09748b98fa54d1cfd23c1487c1e91c8f35cfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0c129d2d98d7e65a6f3ef5e80ab44f18

SHA1
4d636fcf9fd2a94f0c29b745003e659889aaaffd

SHA256
6277c318d9e5afb2a22b0e491d623128b42d5a4ce2b584ec6debc0b100a3b4e1

SHA512
af194546d358cfdd77846800656c3e3b8ef49766ba255dd6243d471a75af0c19ef1d121a86e54f8b85fdea3047ab3960b078b9bce8d9f63ad02c4c21646ace3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
6aeec209847be26bc791617c281de038

SHA1
439792db6190b4d325293cdf7972059383ecae23

SHA256
d0f68f567346816f13eb8d0e9ddb6d4897545dc51cc1ca766b0c0fa318c7ebe4

SHA512
b459a02a8e08acb58d31b7a4e96e05bb5511634e3208966524b5b611d5ddbe2557d753f92d69bf2b3ac78723f05a5acd9b904c297341819747f834f40c3afb52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57a122.TMP

Filesize
2KB

MD5
75296b401c198c10305614762f158824

SHA1
cc04e05d4e587ed4e86640fbf23737f6abdd0382

SHA256
d712288753afed8c5983f57a56b7a2ed4833a609e4344b2cecf21783a6d2db38

SHA512
7e8444e5d5306fb3f308d424cab733351ae8050b0c57d03b5b9a323776d62481070877d7d14f859c53fbe52932c4df09ecfcc48c9d790dde176b0fc65a5d1095

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
143a88a9e771d8a726fc14f07d08266c

SHA1
a32e0c07c17399f2ba94d15091de9df78a5dfc9c

SHA256
30cf0a61721cf80a075d0c10de026718fca7fbfccac7fc0fd98f4d37a45ca053

SHA512
8eb64d78c4eccbb10a88368110376495b542501b7a833919e98d7abd6a53a79ebf7e146af3deaa927be632d05e49253fcbda29a7b45f431723d76e9bcc1bc1f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
a084f41dc0e5abe5cfda26aad51480d2

SHA1
a683900db7bcf85acd49d7045abd36db3245786f

SHA256
7f0dc8e17733a86d3f6ad3380b8d4be42d3e3493a61c20c77746a1853cf7cbea

SHA512
18b435b1901a3ddf848b5e5399d8da341de433f9cec5a0d74e319950914c1256901a504afb3779d1d81d2a5bca45eff177105041f20966e7aae402a64ad6bbf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
4d72164143bb1d2c33367a25b62b77b2

SHA1
c2ee7d4b91ddd980d8fa530e32d1fd10be2106fc

SHA256
71dd4bfa77e9ab7d778a2d86175e137833fd096934201081836eda73f772ad1b

SHA512
1ceba05eaa7126b620a75f7880d0fde389528aaea824b7a57626130635393d2a30b88a4bbbdd835a610e7aeaf2339dd067535deea83ee5dfb23011a84fda97ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
74e9e6de5f18d8c08e4442a94aacf18a

SHA1
188b24fd64bd2657dff2d437873da0a71c2eb78d

SHA256
5ede5fc56bb5ac0276ffe0ed7ac140bbe1ec1f3869ebb3cf5b64272e09d7e448

SHA512
767ea130b2b092b2b7bc55e7980c0a066d00a1b08981f00a055774e44b72d319709803b83c8bd061b0311f788068d043b3d89d21ceb6aec57238aa035f0c3868

Download Submit
C:\Users\Admin\AppData\Roaming\5d79c918d8c8c63e.bin

Filesize
12KB

MD5
2c638c9a96dc9bacdd86171e63e03ca8

SHA1
a20312dfbc3baa228e80e171ae278c51121f579a

SHA256
2a10383bf24078b14fd80251f7f3dfa1d4de8821d190b3222287f598e46a5c89

SHA512
1944a01a324f2a5db896e5d0d9689f31b503fd666c378fd34a68f22179726138b27fc5e63ca507f7db834248550b78088bfe1c8dd83deebac9b691b9b421493b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
7ea79980d7e20a8d616276d7044d32dd

SHA1
a4026874590aee5df0f23b9ced0b2167f25ec5cc

SHA256
f75bdc412e5caa7b2d1d3edc9ab72c30afdbfa89568b7bce770b409bf3e9504b

SHA512
bfe011a743f08a9d75afce651517cd89568fc6c3015fdf02f7e30f47e288c99be6234b8615e3aa09395c7ddaedd96b5d01bb959ec354a0921861b781401f0a3a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9bba7f3019fd9cc1898205c8f2365e23

SHA1
ad7f8f7e75ab923101908335a112e8f5f63253d4

SHA256
db1d0e427d49b2466e9a69d77455cdb76044b9a6d8cc42721785615ed8a23a2d

SHA512
6dfeded8399523734728793238171a4ca0123e476a5d0d0cde934279077730ea78c3983ea2628f62c90ab4a9c179265a561423ea9f570a3e65f6c38df7d5ff93

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
ca13e9f86e5ca9c03f58c847e3ccc9c7

SHA1
0e8d7d025773314d531af7ac9c333fdb6547d562

SHA256
306960a450ae91a1b2fba8c488228b9028d73b9ea9ce067e97be8f2251e2cdf7

SHA512
6a243116763ef975b0bd510a38202d9d2b88ee2decf2602ca47f7d3c1d3a385dde2d41f5fa862358f9c1c34683b41832f9a383a3387b946723faf20f1404ce35

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
227b560bfcef9ce18617a1d39aea926f

SHA1
75e6bb35fafc51d413e6897d3f9d2d5f9350783a

SHA256
d548ac0c24d09e37adc20500e0d1b7eb072a45ea3951fda57055244618df74c7

SHA512
8cb6ee125a78d99ebcc1116a5cffd2d888c8d887afd1450254c591ed9fb8016a9af61022265fafdc2db83df43489ec74a03805295c1810558bbffd8500285c9d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d91b2896e49b934a2ecd851b33afe1bd

SHA1
650d3d862b534ac5f977e5d31aef62405111304a

SHA256
22e63a460e0d1cdb3f6f2809e9917dc49329f6cfe60224aae3284196c19fbe80

SHA512
4027527c644540e96622ca4209c219dcf2a888141ac5cf526f01deb80febf5802e59f1e3a8f2083bd6fafa926a46bbbc219f3636b33f91fe9f11d6314be2f239

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
54ba1e1af8630606e0851dec6bc8b8d2

SHA1
d8c289e3924a8e0ec97928ac0376ae49967da0e6

SHA256
bc8985eb13350cc211c387b980488b06c225649177d9b83934100bd03aca03ee

SHA512
54862819dfc5079577c0a1cedccd465623b86bff39b69ecf4df151362f65b47bf11122a0d14b8d1f76e64a4c0bc8abbe3b23a4bbd86345f33b5212b182dd5249

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
7cd78a0ffd59f2b03b9a501d5423de02

SHA1
0d96ddea1a163325fd7e0a3020b066c7fda4ef93

SHA256
a8ee78319b727eed4b3fe8e1d6005157fff1e43c14a84d09109552a4aa5f3e41

SHA512
6334f416105696c72fff668199cf444965a472728e5ee3688254d1c689e09ac1448238f39b2589be71f11230d636819d0ee37de1387839f0dc7d859ad1e97760

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9e8c53e6b23e9b92c038b4e2e7c13f9c

SHA1
8a48b76a16033491e45e0b7fbbfaa463fe6c9f26

SHA256
a2c792d583434743051819c9efe6b04638a4f17f490609d0f7f9c061359eb319

SHA512
055ea91c145d111560d2890b35e2ef298989ede40a1818c071b63e5f1fb249854eb9cac9aae5541c9d1af12d237d0b4b5362ac43b0b09670ad414f744c6f1fcd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
faa00d23da6ed96e44a880493e948931

SHA1
ad16e8a0bc91857a12b2c6f172aeef8d8fe1171b

SHA256
253680662cbe5e3975cd74ae1f05de418c0caec980ee59097b6414c80efb8cdb

SHA512
8889e5d2971f720508abd4ac1106875a7219b202bb83266439dfb1cc5c5d5408137571b49701151612a20d89d253a20f491fd5b5c87f380a272b3e980035ec2f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
29b9b5152c01b6667a5555d4d93990d6

SHA1
56318a95de89ef93c4750d60d306f15ab5c788ab

SHA256
0f4c7b8af1322f654d75f8a07c1bbab7b6e1a9b12e4ac8e5ed55f4a2899f5122

SHA512
fce8c917836759c908134e2aa75b361c08c8eb177b23ce21a5d92547adbc6651f539e6a63149c862a19af1dd9ffce42a3a3daec3edb8d99177bc297a75d2dba7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1a9cd38b8ff9fe2ea8ea2d2cdbf9a2b5

SHA1
da7281c8a343ad7f0a3f6e6e0f1e8a27cffceb6a

SHA256
d3a207741a747382892f5a922e6bbdcb1314f7799fc8585d471d3174b2b7c6b2

SHA512
d78c9d093b07095035698d450c1b9a0f9282012e99bf31dd58cb9503a31080a184f4606f5d684ca1216d2ffb8d0e26474ea4a6477ec70d1ea0f3c665816e4d16

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
07321e0d7e85f2ff03ba13fb38f76a7c

SHA1
a1eabf34841c2755ba84f7b25ae74619eff28e0a

SHA256
928ae02a4e9a636d97aadf56a7118438638d37964a0d828a05801ad27cb1ff4b

SHA512
8c34c0d107dc723920e153c9b645a80fd98d956c55ed868479d5ca7e7c9d8f7a589cdc94891a3a93a6c8e7ce44b9200ac6b9a434039a444122e98129700e9bf6

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
262a50a56b9720340970d34d7332c42f

SHA1
48fc11c7237668beaf021241538338b59a10d7a1

SHA256
74880b134b6a17f87f87eea9afc7e79caf6d3172fd9a9e31e9783fd43c9da7ba

SHA512
166dc0bcdfab547d30eb0bb1264e1b06b4d2cec5a866db5d1433d1ef07823140b545c2199665d3eb5382cfb0f0f83e572fb45ebf934f12e642f904ec77fa6d2b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
6fb0011febd3fd61eb210b34fc07cd9c

SHA1
9926a0b5f10df0398f6812cc843fb4083b2fa5bd

SHA256
cffec16b12b8aeb2a5dbdd56f43450746f3ca586d5db17d876df63ad0bb37c2c

SHA512
cd87103c1f0a74600fdd43f66a5c182ffbc9d108c1a92b14e1a5f208ed5194530ee6c67ebefb4cfaffbcaf1099b273cae9d1d20de98b5a1ee98e59b731ef1f6f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4c51751a9d2f287bdaac7b04bfce43d1

SHA1
3924fcc640fb073f4fa241a4113c95780c7f73f7

SHA256
1210e1f1c802e63a605fef8b931ec9425a004ce9a1a335b61570d0689da1b379

SHA512
52ae21ffa6f95748d0d1f8251b6e200048830cce0765dd27716d5ae493244dec5fe76f156bf26baf322abad4918d7e275bebb343e4f70622e2318995dcb01ddb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6710e118939dbdc992298a422f9c9d6e

SHA1
da961a5e6dea4bcdd194cae16c6b045d10862bbe

SHA256
6c0a6f1bd656fc01c8b6e2d5a6784e4eb5551808bef771c09562bcbfa10a9a1e

SHA512
51a23c4f4d82722cc3eb3253ca585829fe15b495a5b10377e823678abf4b646676b7dc85b0c55a52dd4ac77bf22b97559f6bd513317156bd1b795684358dff08

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4b365c988eb9e01a2d4b64d283107bbc

SHA1
fe0ffa4b43aaa1e1b7ba6ee5cbe0398817152275

SHA256
1be0d2d1ad964e40038233f80fcc2eb260d0f69bc5915b2bf340076d01508405

SHA512
af3d0ecaf81bc1b797abd5ec8f56c7b9644d6b80559f336dcc1b33286a2a081c0a23cfe64dcf2883f31b9e45123e085c9452d7c35fa7ec803e702569aae91767

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
041b6fb30b02d6a8fa330bb221a950ec

SHA1
6a5bc9a08d65164aed80302267e9a4c857decb8e

SHA256
39280a26b2122b8256ad54e11241cb393ae71f8a697e556eda9f4a9461e02cce

SHA512
5fe181ae79f3f3f0a324e4f8ff6d0a2c720507739a7b7a2615fdc015e588ed597ab2b5c884a26303087665159fbd06d536c0a8f6277151f8405661a0b3cdc1e1

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
f4db6362aaf8571344ba6f04f75f5a7d

SHA1
8a6f890315171158d1f665049bff29715daaffb0

SHA256
24eb5871472dffdb0e29b112b170cb5376e70d6e784f1a3dd003aeb112f832c8

SHA512
a4b5c9e930eb2cf07dcd0060e4b278978a4ff4d41d28442bf8bd08bf4113900892eb6ce4b2daba034f514e32dfc9529b8640a82ce87d8c318076647614ed0d79

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
79dcf9150b3925ab8fca751f96bea4b4

SHA1
153e1e084fae0e2ab8b114a64ef644b64039b8dd

SHA256
2b239b1bd83e4d69d40a6cc94903d5095f392070078fe01a1d45d5fe8b6536ba

SHA512
6bb8546c231b84404cdd38a160dc07aa42ea31eeff1194a999f4fde9558c03df8c9a361a0daa71bb5a901f28d4de7f1e58d193767a7cc805134cd4cc2da759b8

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
7edb0e077f7527973136f5c96ac33a07

SHA1
af9adcdea7139f66d32d9288dade2028ca43d20b

SHA256
b859ae124b12b6054fb84e5c49980afea1a9816480aa9bed383a7195fe71ee62

SHA512
91283b95583a48cdc3c7f41e17887f7392605ecb60614e51c17b265428440a09f5060a879eef0984a0ce95e0d389df6e2be6d39676d8cf402317a76bcf036654

Download Submit
memory/448-0-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/448-8-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/448-40-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/448-34-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/448-1-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/540-121-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/540-117-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/540-552-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/540-53-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/540-559-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/540-44-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/540-43-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1052-470-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1052-478-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1052-536-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1096-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1096-14-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1096-27-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1096-86-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1468-30-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1468-18-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1468-16-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1468-95-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2156-87-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2156-94-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2156-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2156-318-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2412-278-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2412-393-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/2412-269-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/2556-84-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2556-81-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2556-72-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2556-71-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2556-78-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2580-456-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2580-464-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2580-518-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2600-59-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2600-277-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2600-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2600-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2600-58-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3084-532-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/3084-524-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3272-506-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3272-563-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3272-498-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3272-571-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3376-427-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3376-435-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3376-494-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3376-485-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3756-398-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/3756-320-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/3756-310-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/3928-351-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/3928-352-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/3928-258-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/3928-250-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/3928-251-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/4164-330-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4164-305-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4164-287-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/4164-329-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/4180-439-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4180-455-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4180-453-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4180-448-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4384-573-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4384-564-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4400-550-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4400-495-0x0000000000800000-0x0000000000866000-memory.dmp

Filesize
408KB

Download
memory/4400-486-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4916-537-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4916-545-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4948-520-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4948-511-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4948-577-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download