c0dc57b80ecc4ae81e503ffd0c156bc450abb16cdd2ebafc5a1a5d8f6299b6e2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
Size

5.5MB
MD5

39491893d9403460ebd122673fa77f73
SHA1

71a883c6d788cc97feaccc0f845b0d96fd7737a1
SHA256

c0dc57b80ecc4ae81e503ffd0c156bc450abb16cdd2ebafc5a1a5d8f6299b6e2
SHA512

d7d2fbd983351949c84b930ea5cf51d1b311212fc024d999b50d65a115a4ca917c03159a9f6473b79e36e7598087a5a2e6a0d0e25903351c09392770433069a5
SSDEEP

49152:yEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1cn9tJEUxDG0BYYrLA50IHLGfQ:YAI5pAdVen9tbnR1VgBVmb2FuzTw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
3560	alg.exe
1804	DiagnosticsHub.StandardCollector.Service.exe
4204	fxssvc.exe
3936	elevation_service.exe
4580	maintenanceservice.exe
3608	msdtc.exe
448	OSE.EXE
1696	PerceptionSimulationService.exe
4204	perfhost.exe
3224	locator.exe
412	SensorDataService.exe
4992	snmptrap.exe
3484	spectrum.exe
5356	ssh-agent.exe
5592	TieringEngineService.exe
5736	AgentService.exe
5848	vds.exe
5988	vssvc.exe
6116	wbengine.exe
4472	WmiApSrv.exe
5440	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dfa20043fc7bedf8.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89187\javaw.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89187\java.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89187\javaws.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004269cc525f91da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df06ca525f91da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009de827525f91da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4976	chrome.exe
4976	chrome.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
3308	chrome.exe
3308	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1016	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
Token: SeTakeOwnershipPrivilege	228	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeAuditPrivilege	4204	fxssvc.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeRestorePrivilege	5592	TieringEngineService.exe
Token: SeManageVolumePrivilege	5592	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5736	AgentService.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeBackupPrivilege	5988	vssvc.exe
Token: SeRestorePrivilege	5988	vssvc.exe
Token: SeAuditPrivilege	5988	vssvc.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeBackupPrivilege	6116	wbengine.exe
Token: SeRestorePrivilege	6116	wbengine.exe
Token: SeSecurityPrivilege	6116	wbengine.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: 33	5440	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5440	SearchIndexer.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe
388	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 228	1016	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe	85
PID 1016 wrote to memory of 228	1016	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe	85
PID 1016 wrote to memory of 4976	1016	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe	87
PID 1016 wrote to memory of 4976	1016	2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe	87
PID 4976 wrote to memory of 4840	4976	chrome.exe	88
PID 4976 wrote to memory of 4840	4976	chrome.exe	88
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 1676	4976	chrome.exe	91
PID 4976 wrote to memory of 456	4976	chrome.exe	92
PID 4976 wrote to memory of 456	4976	chrome.exe	92
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94
PID 4976 wrote to memory of 2304	4976	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-18_39491893d9403460ebd122673fa77f73_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a0,0x2d8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb12bbab58,0x7ffb12bbab68,0x7ffb12bbab78
    3⤵
    PID:4840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1924,i,13980048141759171686,5923954376670867805,131072 /prefetch:2
    3⤵
    PID:1676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1924,i,13980048141759171686,5923954376670867805,131072 /prefetch:8
    3⤵
    PID:456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1924,i,13980048141759171686,5923954376670867805,131072 /prefetch:8
    3⤵
    PID:2304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1924,i,13980048141759171686,5923954376670867805,131072 /prefetch:1
    3⤵
    PID:1932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1924,i,13980048141759171686,5923954376670867805,131072 /prefetch:1
    3⤵
    PID:4120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4296 --field-trial-handle=1924,i,13980048141759171686,5923954376670867805,131072 /prefetch:1
    3⤵
    PID:2148
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1924,i,13980048141759171686,5923954376670867805,131072 /prefetch:8
    3⤵
    PID:2480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1924,i,13980048141759171686,5923954376670867805,131072 /prefetch:8
    3⤵
    PID:3768
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:4344
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6af7dae48,0x7ff6af7dae58,0x7ff6af7dae68
      4⤵
      PID:1792
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:388
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6af7dae48,0x7ff6af7dae58,0x7ff6af7dae68
        5⤵
        
        PID:4592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1924,i,13980048141759171686,5923954376670867805,131072 /prefetch:8
    3⤵
    PID:3864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4452 --field-trial-handle=1924,i,13980048141759171686,5923954376670867805,131072 /prefetch:8
    3⤵
    PID:4168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1924,i,13980048141759171686,5923954376670867805,131072 /prefetch:8
    3⤵
    PID:5212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1924,i,13980048141759171686,5923954376670867805,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3308

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3560

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4148

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1164

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3936

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3608

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:448

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:412

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4992

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3484

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5368

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5592

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5736

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5988

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6116

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5440
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5764
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6b25d16f1509472eff933b5267d9c1e1

SHA1
b42e00787ddcae4b26db107ff19efc6049bf3f18

SHA256
8f1fabda4008a1ec96b2d57cc7dafd79012078ad042a6bee66d3fac2e627aef1

SHA512
5ede651368dcdb1e40800d553525630140f5b9417479cf9c138501bb6d04deaee0148687bae1a2115520b6602a8f00e38598b697bc8bc7dd12213799226ff774

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
c66d748a0bf6e39520b216a66566ac8c

SHA1
2b8e72d219e36181fb006a8ff32e85773ee9e4ee

SHA256
ac1a69a2825bb1db46ae902e9126574c2d1984bdfade91bfd586e6f02838adc6

SHA512
15e08b9ee14eeceafbce19450b22da22ceb83f79d34dc4b6a2f74809d3d7fb352e8516e5e2819d070a5bd7af10478f46abb6b724bf6f94746e5913aef033cd89

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
3de048e86966fab8c58a575023096151

SHA1
1f392d5953c58a91526f96c6055a21ce1ec82d2c

SHA256
1f651d3657081da080e1de10500d0caafea58be9062c478de28456b4f2915e74

SHA512
9a0c8771285664dfa3258d69f867a2d46589ebdc065e6f375a001a60e60c12f04e073e4a17b43864b17473239c702afb23c5db74b99ac5f2cbb80bdfe1c2fe74

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
238eabcc29920d337c575a3cf5ead83e

SHA1
055d84cc562bcb41a9dace8e6edae9d9f683e7bf

SHA256
951f051c7c614594923d70748d81d4484b49e6d8df12a8e3c7bb3e99bcc2763f

SHA512
15ce2bffbd7dd73e538448ecc93ad582aeb3e1a4d52d326e560a93330ab84c06c15c82c3dff7312a7af121ee9099b8874ee66c4a973564c88cd3796e44543184

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
741abc8c49d3830bc68be03ebbf8e539

SHA1
74891af090baf23f1be1e20694df75e26b5cbee8

SHA256
30ffb426511a4b82206f0216f01dd77e84aa79a92b9d2e167242e79a651d2e3b

SHA512
06354f14edcaa4dc7ff3b2426afa2abae9f4ca3902efc86dfd32716723ba4c8395e03764e9e20024ec586aecfba6e8e44154496ee51ea72865fb3e2ed119b7f8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3d3801d330820ace347cbc50a31dbc81

SHA1
9eb9b6d42903e2dde88d2dac5eeaa94526c61e4f

SHA256
e12fa06e03eb034af94b35b827c912068848cb06306ac300f3152774c0ed5f47

SHA512
dab0ec171e983e6e7ee2ed361ef45d1918144cba7e155142c8b534bec90d6289489a508ce122c76812da719b12725f3bc0c76566a68c587aaa37bc4ec71ed662

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b0c8444c4828500dc8e2c01aa57d9994

SHA1
d7f1d9dc5e7cc6cb708b96fad64705ae43cb4796

SHA256
49284a2eee980e5af229be0ce301351c2a17117b535d929d0b2f0e21fd7e0fb7

SHA512
79ddba3fc652f492b6e5ce3b2e2880e8e0bdaf22a847235cad7edc3d0770e1511489c8586d45e4f47eb538c0d07c1114fc78b4ce743fe87a8862ca84904a2662

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
467c536132003624a090ab2961384d1f

SHA1
020497e60c0efebfd01b8517f57c7bdcb46ef105

SHA256
24ce3f953c5298146865661f952f2fd0035bbee479f53a81fdf5650c6815c644

SHA512
76b915f506fcfc8cd927b66155b582030b460f4c91d42b093edfa9b08b7c9123fe8279632750611b2f0d278d5a1f40cbee3c4d381f92b1f2395fa45e3f379d99

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
dad238451faf12ac618746cda01d41e4

SHA1
75d8dc67a6670e6069e6a0536c7b63a8f1fd734a

SHA256
5ff055a07c1011ae47f1cdea590e6c7c53b79f64e2947cf6ae757acf80b1e176

SHA512
a551b9fb7052d552a7a9dd6f65a01be7cf32f12f382f07187c7aa44b5e6a6e9374ee760743aa0ca1c177cd91962b5ac42a8eec31a078f8a1767a5d189a66bf6b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
59362072cac39c07b0db929b1e2ca9ec

SHA1
a12df740838a3e9dc260d269ab93003612fc4a86

SHA256
03ff4bacd162ba92a7f034332b02a884104e2b4612d46746043ac7e9a7c02b86

SHA512
5724e5763250a5f3d02b06c22d7ea296173387e9b1043527141342bcc45dc8056c623d9e8d8e3e19ea5aa8fd17ce75c455d06745e6a81871ef9d4711d9b2b9d7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8b3fa769d2a52867cae173c89d030a95

SHA1
881fbe58946e710587c1cc892287ca7fcdcb18a3

SHA256
a498d82dace9f5731e2a5ee9a09aca8c47b82de1560541b4284fcd5afd166a1a

SHA512
ff34e7ebb4c0ac82e9fd63d127c4ae914c27845da87d48a0a4dbb62ee2f5420ae4ce9ba0adc3d2b8caa857cf47c86f3408e6538218732920f30f329f665edd11

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
776219eaaef58ba690be518268f89f97

SHA1
4e88bbdbb27cb8bc46614b8f9e828b0fa8bef6f8

SHA256
7c91285ec565fe6b11dfbc6e95420f91f6da8bf858fce9ff176e05b4d5199347

SHA512
fcc604c9b930abe9fa803b052b53927512daef074c6c8bdba95f2b4af5fee6d0da47235c8f6c4f47b4a2015705e7f5183248b2120382f97bdbbcc0129ebd8100

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
d67c7b3abda48bc754fa8a0be5a0fc41

SHA1
e2ae1bc58b95d382f4720f18be9a5d30c2945be5

SHA256
d23d22e588fd3e158a9c9a3e037898c9cf90a50d48eadaa45bfe5ca7fd2f3287

SHA512
09bc3dd89634d783a68c0b38aa127c417dd96e82cfb80a1cf22ca9b039a7a9d1e86e729cd7cc6147ef31436d1501640b574d611145e5ee65b64acabd6d65982a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
cc94ed7c3abd48bed3b261ae5ef0ca9f

SHA1
43a2c9ea9cac511b6ddeb1b01709f3bb28f330e9

SHA256
5e10be1ac94ad993633f4a393d515722857410934d61a78ba579346230e6b36d

SHA512
03306a507cb1ef45758e31584d5bce2c9deecea71196fdd735fe42eb61215f2f63d35d7faf7fac4654fd62490108d8e3844db00b2755bd8ae47dfecd7f975a4b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e9cedd63568a2f06b4a34b36f264c3f6

SHA1
d681f95aedc81117a8b977be791732d43259442c

SHA256
4f00b2a019f5a303b1ece2af07486b356bebfd112dcf4bd1894b040075d5f226

SHA512
60c2529618e5e2f7d42c44846b65a2a0016a44dd3b6309c89e1636adec670f488dd5ae2d9feaff28882e86ff56784628c618ed3fe93999540828788eecfbb2a3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
df6eeb4ebd65d213872a74bfa1f93854

SHA1
e90cd34f5a2b6515455306f4258e526fc8463a57

SHA256
ca50a0ef3aaf0125b363defb7e928db5276224e876969595f53a54af773d42dc

SHA512
dac7828b0fb574e65b3575e63ae08d9f16981c15b20b4733d934fda3c4ff9c548adf9ca8c3254b211dca00cdecb5d5061c64d79da82879bc53158d57ddb25ef5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
167b6aed0f8d6e4e8004f82ac5ef10ba

SHA1
ca657cd1ae5af83f8c2c851b96fb72fc059f44a5

SHA256
8110e4aebdddc77ad20f476e1b330bb0b3c5438f260f06e6997089a2e09a22fb

SHA512
b08345ce7b2eb2402222ff34ee87158c4df7d6e45e760ce3081a4b197d98a1688b18d0fa6af3897436273d2cc3930fc6063dbe19848601d02c1365edbcc2d6bf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
65d42b12e4016ea92a6467b48d205cbd

SHA1
25acfd21fe80d9b705a661c1ff1fc765f349c5f9

SHA256
cfe84d728c76f3a3b1ad57805d237aa92cb6b1bd5790f8403cf99b0e3d4d1ada

SHA512
ea29be4f481fc7cc36c08384d7045db86d564ed72c1d68e0adb958b00fcccabda8cddc432f87dd7b4a4f18895b5a8da5127a2843ce1dd5673b20c6b5710b8407

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\69f5551f-3aa1-463e-8314-b2c84e87877f.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b8adc07ef2369a1822b01fcc74b32b61

SHA1
62d8f0fb3dd63e50ea61e2638f96590e57a57132

SHA256
fa04ec60f96015b19110614783679a834b786d84333b4cb2b048fd43742f6f71

SHA512
2a13cc988e5f26caa92b30ae9023af2ea1f1452a25a0b7d3ee9b638966b1829f3c22c00aa7b167cddc8ae028eae97e572bf242583d5dce123089fcc6011221e0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9a29d6f8bf1f680a32b979417da67b20

SHA1
5fb583fb4bf23e2dde5d727b0a80a5d11071b6c5

SHA256
e68470f4072f011525cc87a4a15aea59751f14a79034625ef7e8580c29bd58ce

SHA512
61c934cea5e12b127cc4eb075b910b38c7aecd1b02dc5630d68b709fcb166d2b79c7a34bc3c953d914fa5378e06b8942cec649d3a1b4366b86813f6017b56525

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
40585d0e7f58a814b4807b9160537b40

SHA1
2aa49cc5ac4946fb82da08ac68cbffbe07eccdfa

SHA256
99056644d0b9b6606f90c43419c9e3be7f9b46114a63f991206b9c269cee7178

SHA512
bd5527333c02be72c030398b7f4a849180d624139398d5c5bc580aa7ef7bc65da52edd336361eab09e5af6671d873a19e76315de644b9e0f45f736ed466d2acf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
27cdacb86a5c84a5f3d210ffba0e0e34

SHA1
edb95dbbaa7fbf207dd5efb34891af7312ade18b

SHA256
99179c316d10dbec3135c1d6a5c890c342ffffff6f2b368ffb76b9d38f9d2d4f

SHA512
9d83e6100b7a261b02d0442c2c68235f51b0b66f8badb3c04556970f33011236792dfcb708aacc737c8b8cd6a48b43277bf84ad327ac15ff124a552e5af90b3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9e3726acfbec9bef565c318779a9ba78

SHA1
fb6ce0d59fabcd2813842e60561fbbe434f57e28

SHA256
176160c2cd00d3a532006651c353a6948187f5cfd11b318d2a46be905370d467

SHA512
f6ab67c05fd90c850dda70b1c7fd7dad6968f8738367fe531f78b429f446e1398878bf21118b329f7660ec1ecfd116f024b0b8072572d1fb082defb9b659f8dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
39ec6eb54ae2a20e5a4bdb93987596e8

SHA1
548b64471715899c89ebcd3d8d1127a164612e87

SHA256
e6f35182a6bd3cc4e156e443db7c0b28333a0529eeccb0f71c1ee51a0ecc662b

SHA512
9669ff717878f31ca30bdd2936805f7c882ea7d1f687c7438c4e15a1c9dd107f4a6dbb28b92ca12ca8d41a135b3557006171bdc3ef3440cb1bf0529547a4d405

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6eca42d4d97588073f54ac56b6a49ec8

SHA1
8d3afba03e87a853e88df5d50b0a486cdcc75a51

SHA256
6fce3dee1fef68f4ca2b870744a1de883661b7279471a0fcf4907bdfbc758c75

SHA512
3cc3c8f8e898a92c6e111475eafb0724d58121c36a47e95538e0ec13b001428b7bfdf88e97f43d234fc104c5fc618febc2916bea573bac78d01783f061d1f17f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577d2f.TMP

Filesize
2KB

MD5
3f83eec20ea3491da5eff4ecd04a269a

SHA1
2bd6a1dba95902229d1ac874636ba43303ceb376

SHA256
458e9ff8954923b8a5788a6fc41f46f57097da4985fdfc96cc5a69d5eaf5cf6c

SHA512
662df191e193fc7c8602695472f8ac3b9298636386104dae8b118e562701b6e652ff5fac488d56a36a4dedcfb1fd46454b17212a5934150766f9e2a41e5c637a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
ac316266eb6676d690a67a43d1beb877

SHA1
7f432e4099ddecd72cb2ff11605571139b05add3

SHA256
6a4897010c10f3d2e23ea1d6027ea819e6616181f27509cbd81d075c972625bb

SHA512
96a6f0650676f5bb8560c2daa739f262cdbb06058b16cab4deb672ca7777b891b1b494ef32b267fd69d5dd7b58f934657498231d416a43a23c710a0f6567ce45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
02cae9a99b127b8f996a969de0da9695

SHA1
bb1f1dd25ef1cde4d309fedc029698c600aab5de

SHA256
3d730bf6948cae42d7ab8551b485ef7322904dc978f2f9f5a187a593f0b30580

SHA512
846ac546b93749b0e41a0c74b7f2949e0da6383cfcaf7422d2e188800b045667f4b144f32a353cdf12b38114a10dd0a60c10b29bc5f8dba81b09986dafd42542

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
05d96620f7360a39297eda678d1a7580

SHA1
2cd853fca3a0a1ef910a6f06a18d95c998f46fba

SHA256
e91ae107759fbad0c7816b8aacc46d55e013a416122f96c86c67fdf21d64e64d

SHA512
119684eff607912ba693a0ba4e0ad16ff6be4f046958eb9728b5f40aa388ce371d6942fc7baf051d3745e53971312bae7aec80c0cd85dfabc417a53ccd4550dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
9228278ea60a84fd3c7d4f89c9141e95

SHA1
e4c1ff8c8ca7858a39326b1686103c0ee4d1b727

SHA256
bb5255086c6213dc46d869c3e92f2865ea02fd052a1836101277de38491045cc

SHA512
72d620f6ba642b2f10a1f4f8d4303060df5f04089374b5751722d365cebf5e97cd9f3d5cf3a1f6e1bd5bf6ad9183ab5cdba3c5470fba5ea9a6099779634abf88

Download Submit
C:\Users\Admin\AppData\Roaming\dfa20043fc7bedf8.bin

Filesize
12KB

MD5
adab0f1f1cafafc638015a6f141a6fbd

SHA1
bfbaa60d8b8b4f92220040bbc7030b749ab1c358

SHA256
562fef5e43d4ee71e361815985422f6c0b66e45cda924325277ff9a8463fcab1

SHA512
b680fbb4b419230d7717edcd2b508157db58cc18128269ce0f962e07a55abce6fa1395c387a2560efc2ebb3267764336f57dc025e9c6082a3f095ae9f8834dd0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c044ce33d578cf059b9667e20659e412

SHA1
43a6718e12cb432896de49dcb6e23b39670c659c

SHA256
876a520518579747660ba22aa6951037f3dfad770a73cfb80d8cb9ad3d57c681

SHA512
6b10e32b124c32b36f656bec4d8501187f986314d30cedc2c5f35d15cd096d6c468c72a4f790108603969cf1f822258553d68fac47aed8db73812bf60147bdd1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e9312020914c56e0395f6ea091556796

SHA1
ac822dd0d87897009e6a50814ca8ffa547036943

SHA256
034d99a4d247548b095e27e37fa1decddd36c2681219a5b5f6bacc0d7e0aecaa

SHA512
7e4df43ef3506eb0e9963d56544dec1c5385057fd11bb71c3abba7ccaffb0d8b905d14cfdc05e92143d5386ad4f8f2576b128e40fde4e1f8b089b350fe055bc2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1e4bf48ab36caf8d7b7ca263a62e78f5

SHA1
f97006b1e2c11fff03a3ed6a3fc7fee9e95ddd03

SHA256
c5c8027b172c237035db7acc0cec226cc7f5083244030be867c590875a47eb29

SHA512
a1d749a751267a73ac435e77bf88e0047a69f1584a9440ccd7994aacf08a190f6b1fa22f400992f7dd4f89ab8c112984e9aca6be79394250071e9828fc266a64

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e14001342847f9f86d7b0f2917c11227

SHA1
19e453bf508b9caa37246bb607b31682d51f83e7

SHA256
247212ca419310b90d331897ec31a9394f276cb41e25874208b08cee51e114d6

SHA512
e905f7b3da27bb8282e3ac782dced5143e85e7c273f29ec62b94466289d25dd98017de1916f7110d25abfcfd7ee0d833362693b621e448ac7ad71dc8446d0c5e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
82e81ebdaaa3c6e4feec82dc0c47d3ce

SHA1
d917ae0f4fd2b95d2756f94cde1bb80aa2cd46cd

SHA256
bc720211a0635492ee4fb2ea42221e0e40272d51cd78f4732ed867ba74d55dd3

SHA512
c049708895729ff475d613debe59cb9ed7c8f62691252fb8c5a430b0ebabee3775a7894fcacca37f044668e00201afbb78b00e761e70d0b629cbd03138298a1c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b0c84c287bbad2ac9353da08d36ba121

SHA1
fc2fedf13d231299fce14de08507466824e726c9

SHA256
089b3fbc9fd1d0efabf016fa5493c79fb4f71e565af83eb2601c7e13c2fafba2

SHA512
74dc220112cde099806363c596e173f1b0b0e537ca8f15bcdda519d48171f5a7b6c359e89080472799ec1be167892eb2dd027174071c5f1ba7293b95b1c103c0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
01e5a6fd0f5122acd5705cdae9d666e1

SHA1
832fc37c78dc643448018230be839944cf0ebca9

SHA256
b81b32d4b1988ed2dbbac9a9e318ff4061aef5fa295a4b263ca24a68bf94507a

SHA512
84a47ef8f7b98557ff4c349935b6e45721e41e7b48b4bc3f5936b18acf6a7201cd6f492d0dd01a7b89e3178cbcb9ef003c90debfa353248cfa42652b19e79956

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4517a891c19ac42b92b3e5c05b6da817

SHA1
81523dca9e13d1214599c883fa4a913c8d632a3f

SHA256
a87c15a2930c8dc3f6fbe4c63a7a6dbd312dad8a452e340eb469f21cc870306b

SHA512
3c72996ce4a8fd5ceda2bf6811e9d096ed3b643687e8d890ae2062a772a5df1351ef7d919536b37f19f01f6cb8255fa3eca0181440ae10f9865433a23f2a3782

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
dfb3bc2a3e703255bd3ce3c5d19cb36a

SHA1
45c791dc1ccf99eeb6f1c84d4a6d143e11038d96

SHA256
105426df21c1586d76b7d73233b189947e112b6bbffde4733ecb37e1e68de2c0

SHA512
decdde9ba86a274ac8be27b6831eb74f98f52d0d29497b816c4c431045a55a5a2110f40f3f5b1e2b0102549f35af2086179bd58d2dfa5e00ac0890cc48e1886e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9e4d0e97957edf0eaf335f0ac9bd9056

SHA1
b4a03b4fc0c2c139b0d8adc04ab74c6a40b65425

SHA256
4e95280e364656916de974015fb5aaae586a7a30407711a1595bc64f2884220f

SHA512
14f3fb8083a3b4107ea001fd4b26b65897732549638274cdb6117843d7c8063a6cf0a00d0149acc7b0b8a8cafeb777cbbba7f14adfbf4fbffd146604c5f0ba12

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
174bc82f461843f60b61bd35c1b7a930

SHA1
fca89af83f914fce633cdff62c2fa4acad0b83c1

SHA256
be52cdd747399e459567890fc251b7cc036499e67a2f7eb9e0cf72e417012672

SHA512
23edfd4f80d7cbac7adfa092de1f48ff67bfc31abe68c6630041aec1b5c0cbcf0d8ef31e9f3a54829c3df3a85fb9c99f3aa99944cc0c7824572fbb74ff653617

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
04e3b91f22a77fa51322a77a469a1b64

SHA1
f9bc4d49c47db6014d5997847cf18354fe2d822c

SHA256
4fd7451228668d947d497595eda052bf657165b4f0f8c9b9ec24f01c78c2a5f7

SHA512
ebc48439f3b5ea456fb98a1a3cbc0c09d8f510a11a14dc8a592f6ba1255666f6cd06255ac4ef7f4f9e8719e2a30bcc9a8e07c481ff00ce3e4fda0a8fa90c82d0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f485352ff7693840d3e7d8041dcfeeed

SHA1
647b7b8ea1f556a441c6d1ed0dc9d7b67288d7d4

SHA256
d1de60e3b3f77d3f1f174e71f5c4574ef020a6bb7110a63d3ceae2c60c13fc3d

SHA512
12e0fca549a57c4c36a0be9ca09962371db4f6ef3852dd209a0efe862d64a1bc29e36cea4ad3b06b23ea689f48cc95ea1e8af404168c5021bce8cca5be8630d4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d8ae5125c1d8d684e6b92ea5da875eca

SHA1
ff89c3b2bc519b00dac4023426f3cf126a1258de

SHA256
fd4fb19370cf3efbb7a157ef200adf0fac7f9d425ca0dfda8da469efff5e761b

SHA512
93c963001476198b6804b5db9ed0847e8365fd3e4e2764d990bba6ab1cbfe4dc101584410323a5437098a00343cccaa810c0e276ef8161a47424af2587ea076e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
802c50ca766e5b4ba1a22a2168036a26

SHA1
a76d561ae0eeb5b174310ba35f00b3076ee9f680

SHA256
1925e775d87d1cee2f810651b55f55a35c87134f076ccf3e65f3dda2d0db6bd9

SHA512
0ca64e0bf09413fd4ec15d318afb887b7f7b6cbe0696b629e891f3754b47202019fecc84b4cbd7a8b6473347ce79e1e835196a5134042f4eea12600fccb33509

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4c5aeea49e61bf6f1de8d5214a8ca6d9

SHA1
bf4ec171e78c0111460edb78aa9ae81841262a67

SHA256
cc2d40b95ef936e75f9004b5c83ad7a24a269575b103b090e01525735a06261e

SHA512
6c54cb8916e4eb687694e025bfae715fc08030b5dbdadd5bab0fb7db2b38a253ad94843f8722a9a6a0199a1f7197266b818401a3c05e15904ab433aa25f9d099

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
793f111f8b9ca444577fa057d7a3da49

SHA1
eecb79a116319f3d054e378a34a5945c6299e603

SHA256
a0d5ca0e088e9e55578153aaf87de517214d47c7c1fc744f05e0867234486e04

SHA512
4bd79100a09ca5b9fd73741c6f27b1cfb0f596bd72c95b7e18d3117c6ae214807dc5ed1100f15b48ae54fe3478d7a43fb676b1388b44540a7ec9642fe70b25b4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cbd956a525f8de66fcd72179aada9bfb

SHA1
263c9795fe01fccacc43f4ce9624a81912e627e0

SHA256
f1541fd8d88e82e685bf755155cb20f5d600fb37c3db1d98f7acd1eb6ef3e0e1

SHA512
96293329b29f08d42ac48820727b30bd047637fb72449259c3aede2207d567b2bba6f2ee3fa36e3217a687dfaaf0c20a1a646b0f5d0d0f2e0dc2f04c481438e8

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
b2017bc1ad588db6593742f6028f2b8b

SHA1
b78a7d3575326f7d3c3b9d0e588cf171576fb803

SHA256
30cf58ccfca0689267931d90c8e331aee3754f9c101476d0ecfb9f87e1ef6af3

SHA512
66af70621d5765a0249f61f175113d36649c4ee50a1a97a88af67bc335d22ec9a7141cb580314b448439f6ddd37577c894403ed5de32f2b9bcf81c5e0f24f270

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b1f0362d521289e8651b06ad24a102b3

SHA1
6c2430d9e12a5eb93c5206d9825919b57e9c73a1

SHA256
bd5f398fe49fffa5ddf7df49ea187d55d0bf01b9c43f97267febe4c1066f6cf6

SHA512
1e36798c18b81c6cd35dafc06f5c83f4197a39fc6ad56d53a807ea0058611e4239b976a66a88908cc9a93b98c97aa4b732504e60fd3ae8f5f162c703ec4b3cb0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
17b609226cdc52fa5068f01567df8169

SHA1
db6cc20701ba3c1ba8db57f50d349c26e9bbbfbb

SHA256
faf072713740e904b5c7d9407b953811907ab2b16f30a5a1e610d3e0062a32bc

SHA512
447716fcd997c23ce17a65ced66447df9fd3bcca5907b8c78e10a08dee366d5bbd7207917228e53237740490bdd8bf5606e32471391fe2b56206646aab88f9a4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
2a794519a623d35ad536c59d9e5376d4

SHA1
392f1dd6502814290b9868829ac201aea91cdb30

SHA256
16261c08b38a6241f259a4cbb033d967a5f662dd9f909abf9de6a1e0c1c3f8fa

SHA512
745d7707a622fafd4b00146fd58be4bb6719ca9a370ed7dfca185e38b2ce5a2773b140e6b9ebd608bac57c73d1a669b58fb8b685a80fb54e1ff57f904ce54da2

Download Submit
memory/228-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/228-12-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/228-21-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/228-111-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/412-209-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/412-292-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/412-199-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/448-146-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/448-136-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/448-227-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1016-33-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1016-0-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1016-27-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1016-8-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1016-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1696-157-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/1696-263-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/1696-256-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1696-151-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1804-46-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1804-45-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1804-54-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1804-53-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1804-134-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3224-185-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3224-195-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3224-277-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3484-322-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3484-258-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3484-233-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3560-22-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3560-39-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3560-24-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3560-120-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3608-206-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3608-122-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/3608-121-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3608-129-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/3936-95-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3936-181-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3936-87-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3936-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4204-182-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4204-81-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4204-73-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4204-74-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4204-100-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4204-96-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4204-272-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4472-350-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4472-359-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4580-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4580-103-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4580-109-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4580-116-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4580-118-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4992-309-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4992-215-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4992-228-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/5356-274-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/5356-335-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5356-265-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5440-371-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/5440-364-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5592-285-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5592-348-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5592-280-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5592-357-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5736-302-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5736-294-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5736-307-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5736-306-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5848-318-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/5848-312-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5988-331-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5988-324-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6116-345-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/6116-338-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download