6cd7bf1edee842ffabf74a0ca57af5c82594aa28d1cbcfe62f1db592e90796e0

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2024 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
Size

5.5MB
MD5

641e1b6b7a6e0e9d0be72cb1f3669247
SHA1

01b17f02da09f38a632c2d080b2b7daabab27635
SHA256

6cd7bf1edee842ffabf74a0ca57af5c82594aa28d1cbcfe62f1db592e90796e0
SHA512

bf5558736d9c0f985e0bc27c8d730baacf86a6c6a0f06eebf4f2441e2c0fba8460774ca1bd4e0b667c7edcbe7752f251ea325675948a5f7c1b1cb988e928ade2
SSDEEP

98304:4AI5pAdVJn9tbnR1VgBVm870uMhSBrkNq:4AsCh7XY3IoQ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4564	alg.exe
1160	DiagnosticsHub.StandardCollector.Service.exe
1036	elevation_service.exe
1948	elevation_service.exe
1532	maintenanceservice.exe
3948	OSE.EXE
1092	chrmstp.exe
5024	chrmstp.exe
3472	chrmstp.exe
4504	chrmstp.exe
816	fxssvc.exe
2100	msdtc.exe
2860	PerceptionSimulationService.exe
3164	perfhost.exe
1260	locator.exe
4172	SensorDataService.exe
4556	snmptrap.exe
4860	spectrum.exe
5000	ssh-agent.exe
1608	TieringEngineService.exe
3980	AgentService.exe
1444	vds.exe
4744	vssvc.exe
2364	wbengine.exe
5032	WmiApSrv.exe
1108	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9cf440a12a644d7f.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000413819a0fa8bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000363476a0fa8bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6cd0ea1fa8bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6f5d7a0fa8bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002eec91a1fa8bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b58daa0fa8bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f4789a0fa8bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ce8cfa1fa8bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133573046536736766"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4992	chrome.exe
4992	chrome.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
1456	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
4384	chrome.exe
4384	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2888	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeDebugPrivilege	4564	alg.exe
Token: SeDebugPrivilege	4564	alg.exe
Token: SeDebugPrivilege	4564	alg.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1456	2888	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe	84
PID 2888 wrote to memory of 1456	2888	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe	84
PID 2888 wrote to memory of 4992	2888	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe	87
PID 2888 wrote to memory of 4992	2888	2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe	87
PID 4992 wrote to memory of 1600	4992	chrome.exe	88
PID 4992 wrote to memory of 1600	4992	chrome.exe	88
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 3992	4992	chrome.exe	94
PID 4992 wrote to memory of 1340	4992	chrome.exe	95
PID 4992 wrote to memory of 1340	4992	chrome.exe	95
PID 4992 wrote to memory of 1672	4992	chrome.exe	96
PID 4992 wrote to memory of 1672	4992	chrome.exe	96
PID 4992 wrote to memory of 1672	4992	chrome.exe	96
PID 4992 wrote to memory of 1672	4992	chrome.exe	96
PID 4992 wrote to memory of 1672	4992	chrome.exe	96
PID 4992 wrote to memory of 1672	4992	chrome.exe	96
PID 4992 wrote to memory of 1672	4992	chrome.exe	96
PID 4992 wrote to memory of 1672	4992	chrome.exe	96
PID 4992 wrote to memory of 1672	4992	chrome.exe	96
PID 4992 wrote to memory of 1672	4992	chrome.exe	96
PID 4992 wrote to memory of 1672	4992	chrome.exe	96
PID 4992 wrote to memory of 1672	4992	chrome.exe	96
PID 4992 wrote to memory of 1672	4992	chrome.exe	96
PID 4992 wrote to memory of 1672	4992	chrome.exe	96
PID 4992 wrote to memory of 1672	4992	chrome.exe	96
PID 4992 wrote to memory of 1672	4992	chrome.exe	96
PID 4992 wrote to memory of 1672	4992	chrome.exe	96
PID 4992 wrote to memory of 1672	4992	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-11_641e1b6b7a6e0e9d0be72cb1f3669247_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5eea9758,0x7ffb5eea9768,0x7ffb5eea9778
    3⤵
    PID:1600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1884,i,5570975383713810770,8267821815440378842,131072 /prefetch:2
    3⤵
    PID:3992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1884,i,5570975383713810770,8267821815440378842,131072 /prefetch:8
    3⤵
    PID:1340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1884,i,5570975383713810770,8267821815440378842,131072 /prefetch:8
    3⤵
    PID:1672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1884,i,5570975383713810770,8267821815440378842,131072 /prefetch:1
    3⤵
    PID:4600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1884,i,5570975383713810770,8267821815440378842,131072 /prefetch:1
    3⤵
    PID:4596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4684 --field-trial-handle=1884,i,5570975383713810770,8267821815440378842,131072 /prefetch:1
    3⤵
    PID:4824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4804 --field-trial-handle=1884,i,5570975383713810770,8267821815440378842,131072 /prefetch:8
    3⤵
    PID:3472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=1884,i,5570975383713810770,8267821815440378842,131072 /prefetch:8
    3⤵
    PID:4892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1884,i,5570975383713810770,8267821815440378842,131072 /prefetch:8
    3⤵
    PID:2988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5196 --field-trial-handle=1884,i,5570975383713810770,8267821815440378842,131072 /prefetch:8
    3⤵
    PID:3300
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:1092
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x1403b7688,0x1403b7698,0x1403b76a8
      4⤵
      Executes dropped EXE
      PID:5024
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      PID:3472
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x298,0x290,0x294,0x28c,0x29c,0x1403b7688,0x1403b7698,0x1403b76a8
        5⤵
        Executes dropped EXE
        
        PID:4504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1884,i,5570975383713810770,8267821815440378842,131072 /prefetch:8
    3⤵
    PID:4212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4836 --field-trial-handle=1884,i,5570975383713810770,8267821815440378842,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4384

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1160

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1948

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1532

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2724

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:816

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2100

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1260

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4172

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4860

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4928

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1608

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:1108
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1540
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7cced1c82bb39973276a0b10f3672d97

SHA1
9363765d384aaec47b4cec809ec1c7aa39539d55

SHA256
4c76bc3ac8c06d45ab141d06b68d77db97b40a96307bdaf524164f2e9b93cf40

SHA512
3378c5437a629edeea5c2feb901231b7ccdaa7bd4baceac1be8be869b63a1de971ca25591ebdeef2f5f61dbbf2fbf7b3a10fd5161037651fc374f4bb5f765d7d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
79fd22144bd5eca8d53d5426168432a0

SHA1
f5363fd8df4c595cc9f12035c393d6d60bf0772f

SHA256
4a3ebce7730e53bcb4b246ba03b6e2c7960c219a3a864d11805c3cc0dc4de4aa

SHA512
15a6b47320729adcfa64691bf5011163c65da93767fecb6d424e62c1a26ae49f3e9ab6b16c58482ab64a927e3f01fb2d1de4a04a50bae1d36879e37c4491b192

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8c630bf6a4fb400936fd979e53a0233c

SHA1
2078619f6796d751d376eaf57a60ee6b7c860c34

SHA256
e86ff8bbd18f13a561555bee3f139b4aa93ff9ea7c4bc2dba9c36726f9e33d49

SHA512
8c9c182bedd5f3a65fa10ee4c3ca1c84cede1c198843a3bea272b8e05be9954ef4b39a57e6e2997a8d80a5d6ef78eb8fce6dfaddbafc1f9162be372192d0f7f1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
634ed52bd4542c87c29089ad36625c20

SHA1
b1ba3eb462887f47edf6ff1760c91f77e3c19c52

SHA256
4f94759d0cd9ce4747d0ec7048b6998b18f7e5c94e285a3498fc418882eae28a

SHA512
dd06aab974ce62482185ff25a503f8e9d0b3a3a76d14cebb8ace456b4d22a4f1cafd93eddef772a9a6eaeb0ac4c223d3ddb72c3ad35bd8f738dbb71e2441bc64

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ffb9bb6746cd38fb635702685d19a160

SHA1
7e15024e7e13e8db6d80fbb278ace6dca6ff8925

SHA256
42c67f657adbc19906ec5222aeec5b4ddbea37dcf1fc703798ba15683b7e48b9

SHA512
53e74fefa103299b74e9ebe19c2e13434cd1e22cc42fa390876bf22f76a9f5607ec751d02300106901d33189fd265337b149e3c1bbdcfde7d593b1c1ea80f95d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ac746cfa1b9469b082d8f0c6307b3a4b

SHA1
dfc345111c99555b8fe8be2ab475db11b803bc01

SHA256
0dcecd147bf5394f46ec52282a085d30e2d21737e714c343cea973917c93408f

SHA512
f5b417393caee057e44a3ba36276d43330f0a581a0260b10af6fcf2013fd40bd11bacd1cddb7a4ea3aee5a7640024a0d1caf44a77b9e26bc0077fb65b9fee3a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8723276f83594ee3efef8bd7ddb42855

SHA1
243c00ba9eb5085838e2794f1edd3ed65709d9cf

SHA256
8ee713c6286f6105559bb9ad67c6a8c33e78b1e87269b839dbeac045d9e2aad1

SHA512
e350190898319fd7e2eeaf7fff7ac94d6c4b0190c67f22236b2292e09af911aa4bc1e9d7ebaade6d89e05b3ef0bead3682a911eb8b2d52979adac83a872e29e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
34b4b943d4db4670c0df97c19bc4b380

SHA1
aea032ee14dc95429b67b4257e36da6e2c783761

SHA256
129475410372b79b80d4a5c0cf1fd4ae83525ffd5e984594a9519e29d41b24ed

SHA512
7e8edea67c59b28d1e7460c04337149fd28cfa58613a3de8a377481db9889152c2335b6ca21eb53cdef0b6f7ee7f4fef000529f3a07c0dac1236bae5d4eab93e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ef43a640d4681716fa39c64d95755d9b

SHA1
4a1f6bdc57d572c8171b803a912f9b95e0804924

SHA256
d69cdfc924c690f153cba3c316b1e198ec097a2ca3e2acb5f9960ea303682f3d

SHA512
67ed95567d2bce41a0cee725ab5d682af87bf29b696bfb3d9fb808d3af6d7ac81a8657c34652f629195d424c9e398105ce2a6790428ee2591fa07aa39c43a62c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ea07f16bf8ef31418c4f0c6ce0372940

SHA1
d80ac7c16fc8886350485d2cc15446a90077fc41

SHA256
ecaf2fd4457dd3a38f87dd5a62faf2d533b8e391b5b9ae9c5e0d98d2abfa9a77

SHA512
d82d36c5ed77ca849291366523d46e0d71d64487495679b694095642d69f597863f1f5277a0664dc1b35f2accfe4d677d50b4486538153c517d68e3178dc497e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
97550e2198574390a1bc9800acb68c61

SHA1
0323e7c235aa67e98ba3c0c2d65d09f41e70a3ff

SHA256
e1e9fd578e0f4542892022c66e91110eff110947b6a1a36a48f9d260278be0ab

SHA512
3a40505a488aa0500f3d63c7587c99b6b11868138ae83d9ddced7ccae228b37c333644ceeeb0bea1a845e77c6c0bc6581b0f77f14606a44f43cb37ba366ae96f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0b966be6704331a36ece389eb74dce72

SHA1
36f576a61a622380e769ce506ef43966bac4ea93

SHA256
13d920310cb9b9cf1d27c887810f5aa8c8e0dc22554671f3007bda74f16c1510

SHA512
81947be1e6d8d45444525a870a4258ebb44ac3198874f134f2b30f10b3d651ab653b782b33a314e115201374250048feeb8732a5ab21ceeb815793b46069d523

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
b6cf51ca1df51611e7c26cbd97f50aa0

SHA1
0eace6b9e6bcf4254c9cee0c8c1eabc3c3ead399

SHA256
932dc36c463d12979b1eb9c7ca5114a607d871b3253cedca392d4bb2c9dcd6c5

SHA512
8a94298203895400baf60c2f73525d87fb53497a07bf3053300c3fbd909f7350da55da6081c34e13b2d4fbdf6a02ebc82aaa841b549e2c405fb5ecf97d43cfec

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
28ecf27ba5d9a3cd28d2c13e9c863f69

SHA1
746605c79508d2a9278c1160390b238035920398

SHA256
d76469a1d83fdadd7549da1e111efe81291c50301206f47f59de4e0a234b9638

SHA512
6d77d382a1b89d3a5b7ab0ad7a572efdf219432596de0316df2a435eba7ad0e6961212ca9ed0da2d197c75dbf6040eeccc7761c55b75fd9a526c3a1843231694

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
2f15cf6b9ba28f31c0c2aeff77aff645

SHA1
4857fe7f10ddfdb5a6eb5f6c2d0d454df8adcb5b

SHA256
5831034829cae554d0c3bd6a872751d76fcd59d799c3a9d2b21c7784b79b8f33

SHA512
453753e4da45200d8d60c6bec7e3f155b83bee1930903488bebcafa027633aaad58d811ade43fc193757771af7a343f9ceb9bbcbd838c45b73f2dae3c443f2e0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
fcad0c68b51d34b2f366f413abed01a4

SHA1
efc456d42819b94d7a3b8986d46fef820c550a8c

SHA256
c0caea9d42f78f2a4c1508b9875b5d6ecb432da6e653fc4e63cf76be46c0aec9

SHA512
415a339e7f07655d1b870c7215cd1d6edd10188f8a3c36c889bfbf9abbc27d60c88a863bfb2bfa21c58b6bd6baaa4ee126572b772520061c7b8b52f34e1b7a3c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
da7ce46dfabbb056139e109e98a13132

SHA1
15d8b09ec9b7ffa988847ce47b56ac95c2ceaec9

SHA256
4c03440180e82c17750100c92d8b493428f87c2e9bb08c056e075eb853a8d416

SHA512
7a9fae9e4a637040b63246343d6f378cca2fab9b7e5d05812766ae29a0578b1f1e6dafcbadd646b56f49441c3caf5255b58ca44468066c116217bc80b4bcbfab

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4603a58b7c1d634a98f906fb99b88b21

SHA1
4e838b6337966840f56698cd7a856d6b582e1ac9

SHA256
5250a8c5f54b4d5f2cf327b353c3c640aba290d3dddf72a068494dbe69364eed

SHA512
5b0ff0cb34217841b4e55e236d028f31fe01531d12d15cfd2d5ed592d20c970c9337dd15de6a6e9058f433ec9d7c8d13c871583c11be32ec4efa24447dc01636

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
d903fa987f56e9a1d6e73452791a07bc

SHA1
9822809b7f9ddc7db52eb35578e766dfaaa4c701

SHA256
5f4f5d8f3c90864a6abb9b540f76becc1029a44bdb6b8edf19967f6d17113185

SHA512
948bb53c33b74a957af526228abb4efa37a75d9b98e4a148cfbd4bd3dfef55cef35a18b08ec19e5e8873b2166f553f21c92e88d89aef01775aa88e67cc4ac214

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
42a65b1f0c6907c904b8cec720e54d36

SHA1
236353e6bb4bfb9a0704cb87f726cb987a8f018d

SHA256
87fc10baf20a501cf8eec17f00d7377cf1dc64eff7f3658eee35ad7d6912f1ce

SHA512
121ebef66b9ee05d883ef81840b3dcfbb289446d56ea90ffe4c9925fa2a66c0f0a352f5edf2c7b87a416587e5f7e67392f48d4319755df4ed3ba9ea365623c0b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
969b90b417acec7726db27a9d0b2f06f

SHA1
c25588b1bb6e9110b43d7a3185fced31667348e5

SHA256
a5298275451d719afab63384f561e95dafa60593be2ae646069b233aa2e0b5d0

SHA512
0f3048266ff33918a1ac273ef830d965731dbcf9e75c660eb1ef1a9959c92ab7b289acd71637e7f0f7cb466f8acba566d33019eb93202c731a3d902f39135661

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
b605879e08d2c37a89e0a7cf9cebb008

SHA1
547075286a6e5e6a304912cef29adf2a5379458d

SHA256
2a7688cdba662e4017878b44e559b7bf4889f2b32ff1c6ed70e020a2738e662a

SHA512
f18fb8e2df93b18cb2359c651e1dbbaf73225ff16912cec7dda24ef3e82d921690aa0690ca493375536159d8aa9ab660e45e2abe4cdbeaaa368f6f69bc090fe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4a89356b82e582707cd660af3a322d36

SHA1
6ed22c9afc01b9cfa639040d44d22ebcfeaa68ce

SHA256
11dd452e5524e258da11de5adc8e9656d7ca83b2505ad13404ef1ef3b7b0b9c1

SHA512
45c0b1af99f8c8edc73996d34e1e8fdddfdd35e80b4d54a6a9a7c71cedb4e1abd27c53da163ffa2b9df01f6b126df3c1ef468d0fb1d7cef0d099c63f60647dfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
a8b45096070333a54a4926823cab388f

SHA1
c494c338019fcc7291a94522c21b7b7bafe172f1

SHA256
380b16ed33db30fb2893ab027f64573f63a9031893f238f3208affd108273fd0

SHA512
f0adae874046956136b3ce87205dd87282748bcaf53b4f53cea6631e7b31f5e44ebc33dba173618ad79d8c88c41e3b4693b5fa8002e04b280deb98ab3294b46d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
272f084f11ed932db5b59a88f9fc981b

SHA1
99c0432b67de63a5a71a07251265c193cf541a17

SHA256
30e5d700caa319ab20afaef47a730335524a4784f5cd3330e1f45bb5aa9cab23

SHA512
5393d307096a4a23ab4988ed53515b828058b7bb7d35d9d5200410782c9f9368cecebd24e785230ddda041d02884a40d49b955c1e82d158450516abe1f90c5d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
dc1e28d24f054b487c3103638f511c5f

SHA1
29c571a0027228fdbb6b57f65dfee45b64f5f90a

SHA256
1b903c9f148bb2113e1fbcf60f95d121b17f019f0fca48870b83cea990337383

SHA512
259169f9d4ab7c69906d45a5f33455caedb7c082eae17f9e75773b49453e7967112adb15f509c8ba43e0f4d0d6ab1e8512bf49de9cbb47bb6f100477b05ea114

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8641cf3ae59062a825fa2a7718eaac5e

SHA1
f2458017afd968f550975fdd1066b51df51ac3a9

SHA256
915e01004ffd4f2773f945d2aaeddf0524e2e977311f31a4f418abed2fbc75e5

SHA512
2f5d9fc0439e380d785e7988433dad4f699def44e72cedfea7e38736936d2bf976047098f4d944b38506d29cb4e20c05f4c5027f630dd63b5484746ba05a2f64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe579134.TMP

Filesize
2KB

MD5
ef3aac392c0d75f931c89cbb67985e0f

SHA1
ce61a9a0890645f7551e4188f0dc09b324f56b63

SHA256
474bd435e067162d7364e95374e0fc4f6be9ea3202017cdb1eb05a7876f254ec

SHA512
22f026e8146699fdd24911bff6f5cfc0ea1cc131bd378e973e8fca5fc479c8eda9764b7a3a1acd9bbcf6f6cfab8763c04fe6c9a56e1b8e9ffd6316ed11c34703

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9082b40dd58e7c251eefa475a0d8b53d

SHA1
24aa1354c1778011cd90a5db00031706250a6dec

SHA256
60bfbd624e559e926331b0daa7b083f105db89643850d7e5b6fcd20f9d55eed7

SHA512
020757833dc75a25a68f8344b53b7248e1269116a56becf67e5b0dd186ccc8415e9da00f2740d1ed7951356b532aa18dc48e39f8e4c2c2d742586ad7f037f546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
db655dbfc4b2070866d05c4a1180e547

SHA1
10f7936d5e2aa977273d86b2f7c8b1ed7844dbc9

SHA256
7f1023c655f59d55945baf88076000ce4a2a7f9b0056c808294d60c736880edc

SHA512
2c0dbe55bfb5014d01d902e72aaa0b4adc793e8430b53872352a96f562c5a272128daa98e19a6d185353140dbe16c9ac9a3d05a39c1f8728f8c089cefcfaef0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
557f871900211a2f17622672e83b2542

SHA1
c0663af76394d390703d8fa088775455c9f494ef

SHA256
cd0d44dd484a6a3513a6817180c96bb8e8f2d5f53f7bbcd3f1f1c2274937cf91

SHA512
8f08995f0afc52b86d3a2ddd9f705baab20ac9b9a8238bf452aebd514eeee9769ce75fbe33033ff5a995f02999eb9c70fe7f0f3831929c0d901b84c6c51d639c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
49fa1e55d903631e3cffc8e039788bc4

SHA1
439f81bfc221cbbba4bbbe14ce71252222a8bfb5

SHA256
0c19737dbd0a49d48375002f463d8a042265cb04c01923bc16fd2e7ab12f5c85

SHA512
089f74453cdc91eccf8cae5c2dfc1dfd857e38365d839edafff06d925d689b2a8f0fd60e88e230177b0f54b05aab7592a86873673ff32606ecf6a0e534fad8e0

Download Submit
C:\Users\Admin\AppData\Roaming\9cf440a12a644d7f.bin

Filesize
12KB

MD5
83ded6da1cbd12b45d5c0b38fcc49b22

SHA1
4076014528f533c390e641b81d8da244d03e7f74

SHA256
75af84eaf6d091fdc38260f56eed6bff50581a7dfa52ea8b9de88fe470e480ad

SHA512
fc347eb06018f601d9f31cb6cb34022e588c109b89110b8b744299ce22df9610b36b1cce8d4880c3ebf72b7f63442d6d076c0843affb5a576f32548f8cb16e34

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
486f9385f64073c33882063d66f9d2fa

SHA1
3389466f7a94a56817824038936ece3b5d24651b

SHA256
319d43a7d86ab8ae5f46c026a4f6a6b54bc1912108704a67e11afd7b6c3121b7

SHA512
389a12b78b54c11d649dad046c25e695012b7f21b1ca1077b9cdd81bf07daa946699a8791a549c2f2606ec2752b31b5c1bccaf62e0ff04a55eead75317be3950

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2436bb9c4612a3595adf585dba7af564

SHA1
1f7cef6ddf3ffbedff4254ddb50349e5cc888f3d

SHA256
b5a7e77cac746e58a55d5b41802359634bdb507869f0608f23f4e1283cf555e8

SHA512
f61d0e0253d696b7cab3e4808cabaed2cf5c049c2abb87a3c091d05490e782e34724fe4fbceb057084e73470b6b4e13ea15d6baf724432f157273e2d5941f925

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
3b74d365088fb0633db8d97f689ea43d

SHA1
6361b993225c0b7b2d9002f6525c7adf40f4925c

SHA256
d5a2b0159bcd0451bfdc20165bcc6662cec0aabe22d48c7d107890d4a2bff48c

SHA512
2046d81a42bc2d75b81f210a2495251983614cb83bd0017ecba20b6b702ed475550d6a855d722b0e8eda0b9e2b3187ecf4acba5d56e9e626749197b60a5c01a4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ed67c1d9eb20640c96d1a0019e481459

SHA1
8f2f6b288fcb37305f4a3d27d978ae806624f2e9

SHA256
bfe755ac62a9d201f35020f85acca0ea187f323d28541fec6954eb3abdf0b701

SHA512
3d11b77b9e30c3ec7cf29313d44efbf26546fa308abdd08eec07b4573f36d9b036b00a3c04f0fe682f6c40113f737701c4e0001766eb4f9090643025446e9124

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a1707e3bd21c423da456e4e68892d203

SHA1
5af2efca7e99bf78e3ff8d0de833150155c04b44

SHA256
2cf39ced6fa10d0e22ac3b36918c6956a023e106019327a29bb0e11d961bf475

SHA512
f7f9813f57c046fcc6f00be18b04c303255e648c18a1c3f257b4a6641ac4a6ebd2866130b25891bf30cca80ebaf2eecbf40f3a2839f61547b3e686b52c3f1eac

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
db54546924b14b85a6916387149ba4a5

SHA1
d9d2c0f3f2d8f4b046988d36629194460c9e5c95

SHA256
f1f8d574d96677ee8ee5a8031970c72f16c5c025b07716a19f4e3bf50b5a1f39

SHA512
51b6c0858673ebcdcddb2eff7964e3820a307790593683636093be3f73ed7b90d5d2178133fb6129bff082811fa1b2613ee99ddd4fafaf0c12387f1e815aefe0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
71ecafc44c6b284e45515c5fc7a5fe2e

SHA1
d212a2bf56177173f9e27b07601064833e5c21c5

SHA256
39a9a6b0bee58cb60a58a55f7aef64fe5f879c5a4577a1496bfdca823ba21885

SHA512
a11970fda7bc94a531d864f73c0077fe0593eb53417d9cdc013e720f7756f4ddacf4ce84ae9c59e433e15903d3d35540410020919a56dd2f100d04f1234e524a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f79d94f5d891925e6164aa6443ed41ec

SHA1
4463c132c943cb66f659951d752e0de9ca34516d

SHA256
dd364bee278e2547e8595da468d333d8f7ebb2a8b311a90c64b21af072f7d98b

SHA512
74a2a11b7fc53891818b1da2cb4bcd5f32eca94eaee21448e8f85f761012b0fb8be841d911034d036e5ffa3a78116cdfb5f3392f4f7b4ae198076d78edfe6351

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bf6dcaddd68d52c8fd17a46bb55efec0

SHA1
0b91505f091295bcb46f9f8cd04ffbfe7efc10a7

SHA256
88e9b2e155d8519eaafb770bb75c47a18fb4da594db4668ad2824e581fbaa863

SHA512
886b42c27e017cc79b26f36a3520fe14a9a4ef5b812f606c67d5f8df2eefd19aa4f4118a05d0e22c2fd20676cfe0206cb134cbdfc38b560d85b149ee7472b289

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4bdffe8d35651ad6d590986f7366ac2b

SHA1
87ceb68228d5cee71fb2d78bafca21fc6f02d9b4

SHA256
07f90876fa4ca8fa8705836751757113d3b9b1d8faeb4a63aa28fb5d8e884fed

SHA512
aa81e00a2bc7551d4bde9920cde32a3345f262bd0db09e666d483be7b6b34300f4e418577ec9395b9badca9b99004e503cf47db545fa98aa9b9c25e21648ea4f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
85351ec4ea756c35379dd73c4d30d8fd

SHA1
a3dec331aab84e21a791c08f0c11c5d842f6ea11

SHA256
2744721cb6095e49be755ca6c631c0e45430e4716ad64e0e128bc9fcfacc1b25

SHA512
c85a2fd418acffa58bdab2c8b73fda3cfd984d36cdaf2f680968a928c7a764720a033217d628a33f54765649f4dd2226ed71aac73e53e686fc2fcd0cde4d464d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
090f47b207c1dee977bb50f7632f2ec7

SHA1
fcc8ae83b73b69d08b5ef229baa65d5263359706

SHA256
dc137950318e442424dd4147cae46f82382a1b6f3db093a11eac5e47ab235e7e

SHA512
1494b8e9f6762ec5e06b2b752d2e89d0d31ec1696a5d1c767e6745e2309664be00c78bb4242ee3a02d7e471ea80c86451189f7ab0ff10f78925a2103362fea7d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
64695818fe821235b6df78de31b80fbe

SHA1
044b49a1714760f3354d32d83b5807ae90da0a9b

SHA256
6c22b7c459b94885f5df2769c0b14356dedc941f3cc9880cfc6e13468ff415fa

SHA512
d48701fa1e25d5ecdfac8e92f2bec418889108786c397bccdd0f6235d4206abc291aaff3af9d5b16cfc3b03035c65e305c3e88ac6fe7ab155408a9a71467eea9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
4452101cd9960b61ed579c23f3436165

SHA1
26a7f2325ea2b6b4cf7cf6fda3933e3b1cbcc9b0

SHA256
8d99ecded02d0f67f5ad23a0f0b03a7759f195e2b1e6692974c3c5d860baa615

SHA512
1aece301cf0829e6b4b533fed06d07b93cccd0bb8d5bd5cbc0a99ccf4814740a7947a1a4b7607877404756d977410ebcb1759c17e9be8d8e6cd6af54a8426170

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5cfc41feef9f4bc22f2150a9bd1c46af

SHA1
2a24cc1ac9b441ed9f2a6f8a9ffaf5f7f975c934

SHA256
3c832ae7c2f5af6882a5522dca9f3538191e461602bdc012dc40c4d989a56765

SHA512
8b4401ca91c2ca4a1ee8c243f214df6074b35bf3dbe45d56457b982933dc85ebe9970ac6c0ebee6aa1714d8d8911a708a1909069fff33597c4cc855cc6f432b8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3b1f07cadd8abb91e3f7c2c510b904b8

SHA1
1273c777302489c78b64d4b80b6b085f4e4bf239

SHA256
854413896b5b68c4a9625a79b4d3b4fa398bbc1e506602660febcbcd9b69c2b9

SHA512
9de557d4c6853ebf6908e9561eaf462b4768e44de90d75188f8b64c24ac1bbf8f8ee099b07b7b5cb5b49d4d8c890fd565361bbf058cb82b45449885908236427

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
847014f810199dc9b36f1f231deea2b4

SHA1
efd94491168ab26f2a6601259fcf5083460d8460

SHA256
2afc6fe888377cabc0cffe70d287286775ba6447930eaac39e1c9e191cfddf79

SHA512
2cac2ed3404f08c5cbd722272aebd1ea0fc19167eb7df47c16365cf6d50904376f3482ab1f065060d4a8cf0764f938d194f6c983f7dc89c9c590d7ed7a46be60

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
48d6b59a882500fbd405e80511dcf094

SHA1
ef82c61722a590e930c7fd9835968195fb632adf

SHA256
c213301e9f12ba66c28e9aede14657804748d76b7fee46b9f2a80f8b44a92841

SHA512
dc8bc6c0e2a695fca7a86cbac714f356861413b2829bc34558bc5b4a2583fc24c6d9cb761f09cb94ea898c7dae7019a362601abee2d73cb30a771480d5f7fbba

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
7806f070ee1bf48d945790a0c2a61355

SHA1
cd3804e5db65628f5a3c0a8accbcb6d10544280c

SHA256
6520df12afb6e96315f15e8777e8deeb8b25d5ac72136065c7d5accda00cd895

SHA512
c1c368d258f84828a08885a6c25894d96da5f1bdb66ae2828bf764213827289c4df027188338fede003a59c8bcdf64ab3eaceb0d20e62c8ec8620c921901c7bc

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
529029867dfc93942a3900818341562d

SHA1
2f3e9190052cc9c74546026e78a3ada70566a0c8

SHA256
eca428b5c05a85ba3636c56302cc3849a1a11632445af78997a4d03d84bfab73

SHA512
ff4c06316d0b0a8f0cb7da1cc7d6aa08fcca11f9b9ed7808e98419efad4063a8d8269d8313ca43b931cf636bafded0b359a8a08d3a0dbf73b9aca05913dd5beb

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
d54215d28bf245680aa781536358a449

SHA1
0d54434499fdcee794e686e6957c6af9dd4f5a3f

SHA256
de360b270463433ecf13df23e46e6f91319dc475250ae43cc0ef197b5d53c226

SHA512
c400aef914160f7162f043d5a301e5f67d85034b05b9334815a988ccc92390c82da4b61c04bc749e70bf50d093eee22b9d1064735605a7ba7025c2e621ac884d

Download Submit
memory/816-438-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/816-453-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/816-452-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/816-447-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/1036-56-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1036-54-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1036-64-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1036-131-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1036-133-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1092-347-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/1092-260-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/1092-269-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1092-348-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1160-262-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1160-37-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1160-36-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1160-55-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1260-486-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1260-551-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1260-494-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1456-82-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1456-28-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1456-17-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1456-13-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1532-84-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1532-80-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1532-88-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1532-92-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1532-95-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1608-560-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1608-552-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1948-296-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1948-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1948-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1948-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2100-464-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2100-455-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2100-520-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2860-532-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2860-479-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2860-468-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2888-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2888-39-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2888-44-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2888-8-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2888-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3164-547-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3164-483-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3472-339-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/3472-317-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3472-340-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3472-301-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/3948-397-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3948-97-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3948-119-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3948-99-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3980-565-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3980-573-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3980-578-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3980-579-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4172-506-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4172-564-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4172-498-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4504-410-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/4504-324-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/4504-330-0x0000000001F80000-0x0000000001FE0000-memory.dmp

Filesize
384KB

Download
memory/4556-521-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4556-581-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4556-511-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4564-96-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4564-27-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4564-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4564-14-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4860-524-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4860-534-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/5000-538-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5000-548-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/5024-407-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/5024-283-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5024-276-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download