73cf0208767f03c8f85b522912acbbc8a14776f60f6cd1575c912d7d74c9e8c0

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
Size

5.5MB
MD5

01e1f43c565f29e816218efaba113303
SHA1

b8a8efe181041f61b81de3f237bfd100d6083cbd
SHA256

73cf0208767f03c8f85b522912acbbc8a14776f60f6cd1575c912d7d74c9e8c0
SHA512

fef0de9b5287ecd89478780f86bbb8e7df000b0e7f4cc505ee19722f5a96775d225d99ea6a875f4ceafdcb30c189ee2206212bd7b3b874236993ae7c6a69899c
SSDEEP

98304:LAI5pAdVJn9tbnR1VgBVmoeBDljlnegLrv:LAsCh7XY+JlEgP

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5176	alg.exe
4644	DiagnosticsHub.StandardCollector.Service.exe
1360	fxssvc.exe
2260	elevation_service.exe
4464	elevation_service.exe
4848	maintenanceservice.exe
5460	msdtc.exe
5448	OSE.EXE
5488	PerceptionSimulationService.exe
2872	perfhost.exe
4640	locator.exe
3200	SensorDataService.exe
2476	snmptrap.exe
5292	spectrum.exe
1672	ssh-agent.exe
1060	TieringEngineService.exe
556	AgentService.exe
2420	vds.exe
4344	vssvc.exe
5260	wbengine.exe
8	WmiApSrv.exe
1616	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3a708136c43e60d1.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a17ba818b891da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e005b218b891da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a17ba818b891da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009629f718b891da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071dbe818b891da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c53deb18b891da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096b98418b891da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005817e418b891da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b1b8718b891da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008fb4e118b891da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
5160	chrome.exe
5160	chrome.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
1700	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
5104	chrome.exe
5104	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5172	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
Token: SeAuditPrivilege	1360	fxssvc.exe
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe
Token: SeRestorePrivilege	1060	TieringEngineService.exe
Token: SeManageVolumePrivilege	1060	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	556	AgentService.exe
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe
Token: SeBackupPrivilege	4344	vssvc.exe
Token: SeRestorePrivilege	4344	vssvc.exe
Token: SeAuditPrivilege	4344	vssvc.exe
Token: SeBackupPrivilege	5260	wbengine.exe
Token: SeRestorePrivilege	5260	wbengine.exe
Token: SeSecurityPrivilege	5260	wbengine.exe
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe
Token: 33	1616	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe
Token: SeShutdownPrivilege	5160	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
3028	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5172 wrote to memory of 1700	5172	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe	85
PID 5172 wrote to memory of 1700	5172	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe	85
PID 5172 wrote to memory of 5160	5172	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe	87
PID 5172 wrote to memory of 5160	5172	2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe	87
PID 5160 wrote to memory of 3064	5160	chrome.exe	88
PID 5160 wrote to memory of 3064	5160	chrome.exe	88
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 3108	5160	chrome.exe	92
PID 5160 wrote to memory of 776	5160	chrome.exe	93
PID 5160 wrote to memory of 776	5160	chrome.exe	93
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94
PID 5160 wrote to memory of 1892	5160	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5172
- C:\Users\Admin\AppData\Local\Temp\2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-18_01e1f43c565f29e816218efaba113303_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9eddaab58,0x7ff9eddaab68,0x7ff9eddaab78
    3⤵
    PID:3064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1920,i,6280032631570548809,16752471216703923207,131072 /prefetch:2
    3⤵
    PID:3108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1920,i,6280032631570548809,16752471216703923207,131072 /prefetch:8
    3⤵
    PID:776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1920,i,6280032631570548809,16752471216703923207,131072 /prefetch:8
    3⤵
    PID:1892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1920,i,6280032631570548809,16752471216703923207,131072 /prefetch:1
    3⤵
    PID:5608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1920,i,6280032631570548809,16752471216703923207,131072 /prefetch:1
    3⤵
    PID:2252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1920,i,6280032631570548809,16752471216703923207,131072 /prefetch:1
    3⤵
    PID:876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3600 --field-trial-handle=1920,i,6280032631570548809,16752471216703923207,131072 /prefetch:8
    3⤵
    PID:1372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1920,i,6280032631570548809,16752471216703923207,131072 /prefetch:8
    3⤵
    PID:2288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4396 --field-trial-handle=1920,i,6280032631570548809,16752471216703923207,131072 /prefetch:8
    3⤵
    PID:4572
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5188
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7b47dae48,0x7ff7b47dae58,0x7ff7b47dae68
      4⤵
      PID:4936
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:3028
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7b47dae48,0x7ff7b47dae58,0x7ff7b47dae68
        5⤵
        
        PID:5444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1920,i,6280032631570548809,16752471216703923207,131072 /prefetch:8
    3⤵
    PID:3208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 --field-trial-handle=1920,i,6280032631570548809,16752471216703923207,131072 /prefetch:8
    3⤵
    PID:4848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2376 --field-trial-handle=1920,i,6280032631570548809,16752471216703923207,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5104

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5176

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5612

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2260

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4464

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4848

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5460

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5448

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5488

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2872

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3200

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2476

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5292

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3592

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5260

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:8

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1360
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
877c34a5142a52655f0272ebf1fc1a0d

SHA1
ca02b147dd896fa09dfb37d3a8a9de45130e2ca7

SHA256
0ade3c76b1585bb3de88d085377ea5079a265564594fa0f1fc5a874725b3b4a7

SHA512
a2b940b58b806f48a7e5ab0226aa12dca684052679c0afd0d18e7193fb691db2bbc3f9342f1c92ebb9281163bab877d7ce5c48de054706174016a2a447b36e03

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
da6a217d8543689dc654a8e4761e89e4

SHA1
c680a7973eedf8d56dee6f8dbe9be3f8bcc14f3e

SHA256
3b776ce14abbcca5a72e0f99cf1ff47c278470b79ec1e2f8c3b207fc459a4bbb

SHA512
a509911f7f07d728dd330e81de5a7cdefee47cf693ca0e00be9573435ce0e2769163720ff3c09ce4cafb22c3e62945397425696f542b6d05bce439eaf4395d67

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f5995b2f9f230e8bd7a8b01ea784fbf0

SHA1
da7a98744710e1d483199fc56d564e3ef309850d

SHA256
578b418f3407d618d31980233dd4925599c73914302d078c6277195894cc6ef6

SHA512
e35a1633f9be5976658425cae01d65931f40369935e1985cf8cf93f73c25f09dbbb6c3a627368685aee291856bb8434d0d9592a2376e1259495387dfa2a81465

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1f555f1d83f457b21c8c913e7d54bd5b

SHA1
1025dda6008ce74db25ee4f667a06be54919eb43

SHA256
fd1470565bbf530a9ad656df2850a31ce026912d9be056226240722daf39de5a

SHA512
2137f34773d3149f0c2507f8004643cb343834e04f87a4afe939d0c488d0de18520a77891b9c16d246b2de2a3ceb62b517b520a5a8ed8079c8464e6fdf1c5789

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5166de4490e337f2ddcdf934c4c7a718

SHA1
d16cc4a67b465d79be119898c27bbc48351d0f85

SHA256
8844dab027c14aad676449d14a074652bc07aceda17dea12b183259c9247214a

SHA512
abcd8e18fadf9592eb921d2159b5997b4b057eff0448c500aba8b4c652dbfbeeae20af79637a59fedd321e4b9f59f4a7790e521a4b9409e0fef0a644c3740dab

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7c84759e9e2ab49e69da946e26392e12

SHA1
a335fbbaf0c8012b71222f015c3575208b59adc1

SHA256
cc6b9cf504b07a366a798b08feab00960ac4fb4b08cf5c9d305a6e4725d6cbd2

SHA512
3af9640b8c590acba174b214976fff9be6530a799c9827bc859ec7dbec45366d520c467db11a8c1e63a8b3a89f07fd5e26888e7f2cefb9e7cb2f780a29e16479

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c3599291f3cc1a0da92532420b0951fa

SHA1
8315d02e87319bde31f65a40231986b16ffc9799

SHA256
dc221209fd2f039d286bbaeb7c43a37c8f620ab1a4012daed554ce92064d3647

SHA512
9effac7fbe4617b901202471200abc8db6a9a2e17c39e9f70e1b33dd46fc1caa9cc282f874200fb07604537adb1c39f8aac9d2fb0d14983e94776794ba1bc10b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4d614d238565c5b7db02c61a71240dfe

SHA1
0bc775f7a73b1c858b76fa8d1908520cfdaea2eb

SHA256
0ae57f8a536737b3167f579af34b63ba80120345c128bb8bc7a85d515e1b1bdc

SHA512
4c67b0c5b46ab8802ac485e6a6f59bc84bfd34d1a965e6ea8afcda055b43903154913b48ee3b23204f3f10e8593950135f2e7091b830bb55b2cd91d753a2b80b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
74b17c35f33c76768634142afd89ac58

SHA1
5271bed9968e7581b7f01b42f0f975a431567ce7

SHA256
8427a8105848ff40f9a2c98acc99562e994a6d3af6d1e6ccd947ae99a3478d59

SHA512
0fa89515d2aa3a77e7146d5e82238c4b7af7f39b1b748406dda0ded839560e6b7f925932d29e3639251d220194444ea74660ba03170b859ca97c801ce7340149

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e9d5aef7c9b718d3d33243ca00965ccb

SHA1
20038cc1dfa050d29c0abda1b929f0136e7c9e52

SHA256
fb3ebd3fdd94150f00a11904aafa4dce75e4628cad38290cf4c6cd74cb2c9758

SHA512
5d325896387dfa90d8b8a5395671ae15468e7dde9cc836d2098abcabd72315de90341124dcc9ec59fa0c5a5026ef2dc35c3c304eb814dedc93aa0428f85f5c25

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
904a36af3a6777ed32b7221d47236562

SHA1
da7c68a8609fb4462854ba987efe55d757238b8a

SHA256
23665d01c558ae5ce4fec1d476389e74a4f9898e996e73588c6393ccd5d0695c

SHA512
73a108ba89f1994ce41c2b70134b5e04fa16f384932f90743d9f97846f6bbef47f564ece31b52f7199d398360ef065e6b021434b7993fb182f67dd6eec0b30ef

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a249de8c78691d58078283f424b11abe

SHA1
2978245e05235ae0827b9b3471b0f4dd52e56645

SHA256
003438bd0fec8d45b646304743faf3eac1fa4b2a918e4f0cd5831fb391fc6751

SHA512
75c11ab2c276eeefce8478748c88cf589d6d63b7a4c119844816dd81208dcdd72c52ca6eeae1ac9ab196295d0466262f2c32a46b41dcace50e4b0487b1e352c6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a3db1c0581eee9b08c6e5d157d102dab

SHA1
56e3a9951034ffdcaaa91734dc36c094465163bb

SHA256
bd4dc18d8a77501744bfa13079ef3ebfb5ec2b9c2ee6831bd6a7d567d5446d77

SHA512
529725e5c7551de20884b453c453ef842395439d1cdd2dd8f860dcffa3536849aa243f64dcd35ef37575b06c7715f1631efa1164c8baf3d354dcf0033c8cb90f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
950271c8225f404fe5754302e195a38e

SHA1
5186c1676d84b5c0aa93ec0faa2797c8c5af72d3

SHA256
04e1f43d127c64757afc416492b7654454e20f3e22f714d1c685e78e72e1cc33

SHA512
7fdb8cd655507776e4dd92bd78612f43816bb20770fd9ce61b2bf4a1a213f1bf07bfb741e968ec282f798947a09ead141b30d1502c0e8bfdd15fe7f916c0841f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
bcde2de372f5b1c44ade8d51c6d22097

SHA1
af0a091b1e26409cd3fddeb56787b17828facdd6

SHA256
3158113b019d1821dadb338ff47976d7c7e4b2038c70d19aa8d91b321529bce0

SHA512
83fbdf421c980b0fa2006cef2b6a22d296e05cc487ddc3a659ecf2167adfe47f179060aceeef77db261d6b4490b84ca3d1bc2a1e2099678e1af200f58e793e65

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
6e842e3ffbf73d6dd26bb11ef7c80e53

SHA1
55cf9c49a25d5e8d7a0a89604b6bac268d74b5bc

SHA256
f006eab652282cf020d8bfb9796fcb46b5ec65f064b4115c8e2050e1f9b610f9

SHA512
5cb731322edc70015d13f6e6dedf77452b8766bce4c3b3d52a7d2be36a81f35d001d1ffc65e6bb611f685919a5f228357516f63df95c090c179ca0acff4406b2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
82ed337ebe7cbab1c4ff25f03b599a52

SHA1
0c29c9f5a67498fd32307c7271ba0b56f45e9997

SHA256
ab322ccfe99aac139cff0173fe7427d19dacec84336a168accb43b3dde88ea60

SHA512
a53e42bce46120662dd8366f83eee87a143b30d930fd1eba952e5d6c18752701e2418192a1add3317c50d62855b59926085966c7e3a06a29d61fe67a3df62c93

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
1aba72952bd2bfa15f872d77dcd9cf48

SHA1
78581b7b10922d5f5bb3f544d64bbaba56257db0

SHA256
c80556cfb1973e77ab0b4709d0c359e4d778a3ad2fa64922705d0f8cf606a60d

SHA512
96cbf270bb7a435575450ae31b364a378b5c272de70401db2e8a90ead5df67616aa944c3eedb158ad30f8dce05fbe4b88d81a22a9d86d6e29b2cddcdc4b474a5

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\60186fd5-ea59-4516-839f-4b65115c1f19.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
de12c5bb8060407a115a84288f9aa10d

SHA1
40bd044007c16579401624dee50aff3f99973131

SHA256
3016778ef51f28ead84a4022063997625de85a87223a5593e52c5a697f37144a

SHA512
3f9ea87f9bc39bb8f414d0d6c2140e4b41a7637594dc375d7740450a5f381df6ba3f261130ddcbdf5ac822ab5b92954345c60dbd39bfd716ae2fdf86631c5f28

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ee1413916a66bda63fc852d763f3a1a4

SHA1
2af8978a4d82c1bb52b9ff540b84f13656bbbda9

SHA256
de19c2b2bbe74f5b2164df5decb96709667e62d71698a6a2bc449fed44c394b7

SHA512
29e2139bcecd63cf0843189f13187deef055c79c87ca632484a0c66f7f84ab9aa0fbe5a585e8083c35cc60b05276e321ba93e9a1b5206c322a5d2273cafa4a0d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
4f68a8821111e6cfc7a31b6a47b25b3c

SHA1
d897d300836b962db11c90c9354612e5476f26c0

SHA256
e5d5c4c631a87aecd89a68cee1cf80a440186eab7247de100476f07f2f7dba9a

SHA512
0af77f99023dd31290e5a7e28c380452f5fcb4837011604560d1467bfdb201a43a2ccfb2ac11507ff71df1c2b575f6bd05be8e731fda2228cf42caae06f2efd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
273d2cbce45caf2ede717d027049f931

SHA1
4d3880a875edaa72dd9cf1b44108c5748cb3dca2

SHA256
37b7d501862fc5714342a23f53d38d130e4f685f0c7302c4cf9df83e20d07154

SHA512
c2dfff0f1d845d68cac6758161653cad51fc47644cb4231bd92dbf4a140b50876312b254f9381a5b8c42723d00e123956706e94c2c41354d36c577c79de8f5ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
78e3e708bd8931efde8b47541ff8d8f6

SHA1
bf7688b1bc6b0931ce294927775e28794499b974

SHA256
7acf34f9fb55662e8108c5ae6371714b01a959052f06b690558afb8da880ea81

SHA512
5dc66327c3d9a636bdf81b6d2e9a63f98c04ac2cd17a9b82595317d95583473428837cacad1b4ec91ef0afc9a32013720a3f16050e2f7d0bd7a5a6d8a05bb55e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
31c100410175361d4a19c1847e7796dd

SHA1
2bce86c61b50adbd2c412a3c00a18f65c9038424

SHA256
8ca23d891030634288d9e5f84f68ae86fa3277a66b1a38a897f11eedf5ece7f9

SHA512
9aaeefb638800e92503ceb96347dcc05c83500a6560c954bdd1d477ddb7a199a629aea09a639722cc6c12cbd972003988726824371bcf18cd9ff5438262f2924

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f1987c1903f41a6b1213e6be62a13d2d

SHA1
fdcb9a1582022a41bc107d5ed91798b08d07f834

SHA256
cdaa5aab1cfc8658d70b147285ec417040cf3d417d657896d78d356bce2bf35f

SHA512
83cc8e8f6e59ff77e523805b4afb87b53fcb7a1d3e012e490c03fb6b2a5e49729556732c2b37666cd9d06fb1bb908965c5d35ec5626e53f0b2c1cd4b6ce99956

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5760ae.TMP

Filesize
2KB

MD5
30b8f508502e1051f3ee30171879ef7f

SHA1
1fb298e045304f43b89e5fb50effb26aefd3220c

SHA256
b46f199a934c112c4c6c76e3ad0cd1337f73f6c878b53a58681c7c2837601816

SHA512
b653622f44b18004d7e9e31679c3f8039ec14c38dbcf766736c1990a0b50a1faa83b2374d63e1daadd6b0a49829478940be397228d6eae8ae9b2ea3084ea3546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
247b70fbafd2d81682af4723a673d50d

SHA1
1694a17b06542cd456155825bb4c843f0855c534

SHA256
0af7758ad9fb72aeb506026c69371515c34211fb5aa41431ee6bb148dcf8759d

SHA512
8b589d97d9e8487c1a400bfa36ef70ca40e44a046fd0eb0058417ded6712705933b3923a49e13a1536329b339f6149a8be4d7cf6cdab745a757ca7fbed969e21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
14dc37377fd9b3c5d8efb6b0bcba526b

SHA1
c329e43dd96508dc757763df81ffa3dc95c1ea3b

SHA256
16e5ec442e1b707b70b748c51f410a4c941c9e1bb51eb1170513d8cb32568ce8

SHA512
2dbec116425c5fb9afe41881d7c93bb5ca154064887ebabce5cda151698cc79e695d125170aec73197a707710c53b3cb8705d74d88540e8aea9dafe8e04cb061

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
0f18099376fd4da87ed989ebe20d90cd

SHA1
0730dd93b35ccfb87e87fb0f76f4d943cd95fa5c

SHA256
0c7c73838d180adc2338bc8325c800ecd411fba87752d0617c2c4a508458946b

SHA512
3629aec5d5ab0f8f9b80a567b37a96b73336bc6dcb27c67e9c4542f7b2eb23bd089797a74cacfd197bb67848446ddf90029b8740a1fd563264228f27ca84ddf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
d3d84113046338f1806ca978932cad53

SHA1
d77bdcef45151f01c407c13bb008b0d7c9ab4c19

SHA256
0f02c001fca1f508c5e9a2d4722775858052fdfb4c0aa80fef975c256e11bf43

SHA512
ceaf6a9a3c1e042fe306df7ac99073a53a9c8cda68ec8e5522d04121bd17cfeee0ae03fe2b2b7c994b754143af14b6305bc306f7dead2d0d1b171bd360e6764f

Download Submit
C:\Users\Admin\AppData\Roaming\3a708136c43e60d1.bin

Filesize
12KB

MD5
1bc9bd88de80ad3ae064a4bda179ba3b

SHA1
d6583025fcf2f808970cf0364b8464142c67c578

SHA256
681ec36b628651117672ad0cf4cf4c1ac065ed29991310ba42f2511eaebf6aec

SHA512
0d17417ecc770446e668cbf12771af2bff24adc748e6591c3c6292b7b8feb309b422e4693bee8ec51688ac8c6a2e542c16f37e6018e8835b446adfc29bb41f97

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
7e736bd7ef817ddc4d74de56f9b05267

SHA1
b943891ea75b782343a0ae20bf90a7f8f0b667b1

SHA256
34530c137f9ce635d94ed4ee438150ff30d06af7d54741be1ff27af83a2c03c4

SHA512
9d24995b38b1a1f96b2637d39d46214dacdb8c8fa9ba94283a91d36d2345d55ab3905014ea53338234914485f5748b70672b66d67fdfa6a854503af27e97d68f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7e74e306f3d40e7af121a78160fdd14c

SHA1
d795752c62c0948d9b6ce1fe0ae7b5d18429a6e2

SHA256
117c627d53102add934ca2ab2ef6b8fc618cdc60c6a97d774bdc17f72ea4eac5

SHA512
f86215e7420a7b7ca7360cef9ee249d35ea19bd2681d9f95a9666e3710aabfe849767d88696589f3c3f5a9302dbded158aaa55f35fc5d78d5223db46f7111efa

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f101687db6b9cf317d7cb93c9ac7c754

SHA1
92ce0a1d252e2244af3ae0652d7db76449e1e428

SHA256
630e44d96d8e163c9f263a1c43288c11029f1f3f4d78ce06fd17d2007f959434

SHA512
e9a9980689a1bc5b382bc4dfead75ed23c2bdd855566728d2027c1b841b9c0bb7ba3cb902250d8963d7581ec4cd4020832a08330fa1b33bab80559be20497f1f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4f999a4ba0f250085a7226896dc92396

SHA1
aa9afe252bd7114449df25a1a0ba6b6a34d921b2

SHA256
d11e56f66418a614d64ad21c501483dd73785764f731ad662f3647c822a51565

SHA512
21eb9f977733a442e294524ae730ec8e0def6d07f16de2551a0fa4a89793d8ae2e7a7e2306ffacf05dddda26b84948a4bed784da730ed46c6b3cff5b55990a6d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
fd685038036128654e0383730fff2717

SHA1
ecccf69f191127406d91db79183aa5485e7bb0fe

SHA256
ca976c7c12d4398622c2e5fc3d1e5e92361a7b07d6c0c7b6b309e09e1ea8fb81

SHA512
15270014116e4ee732b0974790549cde834f88f1bcd0ded7944f35f34e84b0647b1e12140c85a0edd69cd4a8723b3da327f5dac963cc76a909d5f37d948ab3a3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
7fd9f794bc3334a18b5ce6af0a0d38b8

SHA1
eb5e15ee695a077c4278d749dd3b6bbb0b196448

SHA256
ec6f62e541642416048147672bb84fc346b85995a136a5da6036bf83ad166bb0

SHA512
5e946449897087e0a1ba99bd32bb1b85b467b340bed892567e63ff9b92300fb140072050f68d86256a221b732600f82b5385134b18c032d096d021680e4cb0ad

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
5912295f1e277b57d7efdad7ddc4a672

SHA1
4d802fcf6c63e94c1fad55951ae3fe0609dc88be

SHA256
df632f561e5733138acf9039078e6b68facaa45ab749f0a1d88566a8b2418794

SHA512
b69c87c728e9f9c97902cf6d4783a9cf4a86704035ef8f096b711f6975089ab8d435539d769ffc4f5ad82633090d7f8a3f90a84d79157eedc275187bbe5eeefe

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
850d2db47741ac7b28de3fcb494792e7

SHA1
4e6e8ea16eec9dd3ea57e83485d8b3c2fb75b206

SHA256
66f62d076d6b03fdbfe95c4eed506389d57222763c406d7f9f2c4df186b90382

SHA512
cdc9cbf00a75eb0986693ed18d675c07bf3dcd7189786a1fd1bbf933a61032ccd1dd58e4ff7a1567a98b35ffcddd0d202d4b06c2fbc67d38098a815ae0e5c276

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8350d62a53ad236eb5b90d1949eeb7e4

SHA1
a4d47d5f4e4123a08183a2e1c0892e4502c696fb

SHA256
6ebb814e63ea349bd0138da9c6fd6d7459bc304292a75262a2e27d32ad71a9d2

SHA512
a00da2eb90db6d9dccfcbff2d4fdd9cbbfc26696a42c5d1df529ede92851b419efddc8761e93a462b03927d04ec327974eb550ac504a61faf3e99b85e695dbf2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d10d31966d2aeb03b3a471c6a0d9f070

SHA1
1589c7d401fb43204acefd7397df6588be683d5a

SHA256
4b4a8b9b8bd2012e0673286e9ae8064187f159b8d0c3a7378c12ecf1e283bb08

SHA512
c0a61c937e11abdc803cb1c799635c40cca58b0116cb70cf1d67446dfb84a5429b2c66515c28e2d8283ff6971926dfdbc65fc79ccd569bbc35e9386b7d47f2f7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ec81df07b566f101cfa47b68ad2ce1a7

SHA1
d58227962713860327c51e8ced418317654c5025

SHA256
a86d04a8feeb1731e95e0de71a4ada4e2ec7b2fcb1bcaafd8ce603a59184a956

SHA512
149393a94794ce1d1c45a62040cb14792d3aecf1de9a33b9234c2baf0b4c1b00d973f909fea01dbed09099cac73113db2bce49d94dcf9e44cc62b176ea5684f6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8eb3ff3458840d396f397bc663f2afd7

SHA1
9c3d326112bbf60a3388037958060f002972a30e

SHA256
736a16fe4689e1848b96acb57a283eea828e6d91dafcf5883fe8de75fbb25293

SHA512
b77f8125c81855fb5994af850b82da1c65578bffcc017f6e53aaf101510b7c1c50210bd73727d386af21980c842b802477e89bba90c00080ff42365a15390425

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
358cae1c582ddc7d217ff5d3ab51dadc

SHA1
2e860795fe4433e8861f1fb725326ca8bf550fbe

SHA256
1e7fd79a32a13085be6a0a12a4a42591b5d71f22749fa8882359c3e1fe07e107

SHA512
8265f5384621e57f9eede074d22436f1d093f4704d59bcf56ca906c432704cd799370b7bcc1e149e4d1926b12e4130f3953b56ddc9a4f40e5c7189c33b153dc9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
f9e829f9802489c4a05b8d387ca2f60a

SHA1
b342ae7778258f10cb6a7c167f488444e4640c55

SHA256
bf983b5aac6293613c79b1d533e76f6af484c29904c357c7fe6814ced77efb80

SHA512
b1088aacbfe18e1e8c647dcc975f7ec1844c98a39039ebbd0d28166b6cef89a6df5c6e6de071cb6b83c22b2ac54875224504b4300439230c98235a715a4800a3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
879a9e272ae157229b64ff6047ec2218

SHA1
f97351ccdbec4af761dc6ef7b9a69ffb6f64d02a

SHA256
8ab6b6056f07b4f411152b945f895838c055bc875c7bdf48a7113e0e2e5063be

SHA512
5818c34c4b4dad01b121b65595e0c877f5a64eba86a0bed48f45e0854cf814a60e58ace24a1f933e2b03852892fc022c4268cf05c0b188833b8ec28296b7ab63

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
16f62f57511e2419cd9ed4a34b142927

SHA1
62b7e6b9832f8956530463f72693692fb60c9e5c

SHA256
5d80be3cf432c43402d12c718f9d6cfcf76ffbfe64373501f82939cbef17c0ed

SHA512
319d657f0fb3804506f4162ebeda80f0e1740f90a3b486e00bf624d57e1fb42a21b83efff625230c6210102afda6ca88c66eb2c721fe4d5e3c2641499186d255

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
8bce28a8609734902513bc040314b0e0

SHA1
101ca5d7c7d04c6a07dcd5b7dd038ea72f267342

SHA256
6de018847c1143ec18918c2a640a5bfc1fea331563a526deb4103df89f12f45d

SHA512
bc1c4754e54ed6f1c5d7913d0649f0a4a0e9c077600563332af66ecf004183cb13af31dd3e23ec0c0c2c52735bd2b18af53fbbbd33a45b507c79fc4eb58e3813

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
91d0de62f1005f6363d2e9d9f6c1a286

SHA1
5ad6693d664e6c20e6b0129a9e9d2b1b6609fb85

SHA256
3f8aadf6e4d482156cada9377c8d3909279a3c42cfa48aa1e9cb2b303add5116

SHA512
c016477b23c94cb1c127ce05f42f8bc25663fd46c994e1f5a35487267baf450e193a13a183dfe25bee6d303b2e33d212514e6d9a4c407eceb41793547852bd51

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
fe544d4eeb8ee141ec5eac7e627548b0

SHA1
95a1ff175753393316da7a3bbf40acfb9f1803e8

SHA256
b33681d42883c15838f67f4bfdd2956a60de42459a8018d8491fad00c9ee4e79

SHA512
e5fb4a29c56cb9bdd45d6db608d3051ed0d04f787971b9805e5806cacb96751085e6fcd165b9790173a7fc89901cabc3d21c104236d02ad6917c6997173be331

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1176976c31d3fb852931a28c6e4fb98d

SHA1
3223dc2953be43b2eebb2b364f52ff9a7d355f46

SHA256
4f73ae9c6da8b9f658605743953bfb46fd2f40bab95d64b753f42321b5086b5c

SHA512
86bf09670cb005b73ddd5b9ddb8b0883e78d10f49e047487a15e857434af8313524ae261505878bec1cd8430a9ff932a6fe7cb0cf2b117d75d741e1f9f80ff3c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
98378bddc783c8745caa221cd99a109f

SHA1
2f6f6d06ec4013a2d8c0ff97c973a3feb44fdbc9

SHA256
214a9565901ce743440d76bbbf83f5fb8e45fcbf9bbdebd58ded72f7bede5481

SHA512
e28df7d7518517894ba6a16a7b2497944a7745b46d4bf13c2516616aa72bacb974a4474b510b37464994413d626740a3f060724c75c73bc612b686c664e4c8e6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
8a275561825013f31187e236a6392c85

SHA1
c8218b9b1a957b16f0f75601cc199e181e410073

SHA256
8c09429d9fc84fce0084dcbcf8a34f254cba0cea35f5a6363ceec00197aab24d

SHA512
528a70f5dd5850076fb604a4e6650756f44761f693bc7ca71ccd1a6baa20e4194c6aa7e2ca0e75c773b9a001ffaff3de7721e1898375c8a8eb71f3ade8670add

Download Submit
memory/8-375-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/556-295-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/556-307-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/556-310-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/556-301-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1060-282-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1060-289-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1060-372-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1360-73-0x0000000000970000-0x00000000009D0000-memory.dmp

Filesize
384KB

Download
memory/1360-98-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1360-57-0x0000000000970000-0x00000000009D0000-memory.dmp

Filesize
384KB

Download
memory/1360-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1360-94-0x0000000000970000-0x00000000009D0000-memory.dmp

Filesize
384KB

Download
memory/1672-267-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1672-359-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1672-276-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1700-100-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1700-25-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/1700-14-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1700-12-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/2260-104-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2260-107-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2260-91-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2260-83-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2260-84-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2420-325-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/2420-314-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2476-246-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2476-236-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2476-311-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2872-197-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2872-274-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2872-265-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2872-203-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/3200-292-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3200-229-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3200-223-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4344-355-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4344-344-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4464-103-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4464-196-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4464-99-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4464-112-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4640-216-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4640-280-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4640-209-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4644-151-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4644-45-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4644-46-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4644-53-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4848-119-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4848-149-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4848-148-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4848-143-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4848-117-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5172-30-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/5172-0-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/5172-8-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/5172-39-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5172-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5176-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5176-114-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5176-33-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/5176-19-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/5260-360-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5260-368-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5292-260-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5292-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5292-252-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5448-169-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5448-234-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5448-244-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/5448-176-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/5460-221-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5460-152-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5460-161-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/5488-192-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/5488-250-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5488-184-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download