4850dc8c4c65e296009fb6398188e1ad8c9531f2da02520cfd4693e4ac7be2f4

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
Size

3.2MB
MD5

f8dfd8157ec08f57572108762ef28e25
SHA1

e7b7b35ae364636bc8fb4b699a178628325fe7cb
SHA256

4850dc8c4c65e296009fb6398188e1ad8c9531f2da02520cfd4693e4ac7be2f4
SHA512

d1168f02b9b3954b22bcff9bced4f528240381959aa9f4b2127d9f46401486586261dba4c302d87a8ec55a02ecd0f2da6c3c87eeb64f17b4b74dcbfd7f366022
SSDEEP

49152:g5k1YCdptya507NUUWn043oHS3fTIYwVq1/xT3DDbw0TUqy+/snji6attJM:GNhSMYw8yGEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
440	alg.exe
1492	DiagnosticsHub.StandardCollector.Service.exe
1964	fxssvc.exe
1344	elevation_service.exe
1092	elevation_service.exe
2364	maintenanceservice.exe
1640	msdtc.exe
4580	OSE.EXE
4516	PerceptionSimulationService.exe
4828	perfhost.exe
4988	locator.exe
4196	SensorDataService.exe
4144	snmptrap.exe
1072	spectrum.exe
5308	ssh-agent.exe
5572	TieringEngineService.exe
5824	AgentService.exe
5984	vds.exe
6128	vssvc.exe
5428	wbengine.exe
5552	WmiApSrv.exe
5856	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5e9522a5fc7bedf8.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89187\javaws.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e998bc8ce793da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000490a108de793da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007041c28be793da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ad2308be793da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000425c598be793da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2816	chrome.exe
2816	chrome.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2884	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
2832	chrome.exe
2832	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2204	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
Token: SeAuditPrivilege	1964	fxssvc.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeRestorePrivilege	5572	TieringEngineService.exe
Token: SeManageVolumePrivilege	5572	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5824	AgentService.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeBackupPrivilege	6128	vssvc.exe
Token: SeRestorePrivilege	6128	vssvc.exe
Token: SeAuditPrivilege	6128	vssvc.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeBackupPrivilege	5428	wbengine.exe
Token: SeRestorePrivilege	5428	wbengine.exe
Token: SeSecurityPrivilege	5428	wbengine.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: 33	5856	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5856	SearchIndexer.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
5344	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2884	2204	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe	85
PID 2204 wrote to memory of 2884	2204	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe	85
PID 2204 wrote to memory of 2816	2204	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe	87
PID 2204 wrote to memory of 2816	2204	2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe	87
PID 2816 wrote to memory of 3600	2816	chrome.exe	88
PID 2816 wrote to memory of 3600	2816	chrome.exe	88
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 5036	2816	chrome.exe	92
PID 2816 wrote to memory of 2980	2816	chrome.exe	93
PID 2816 wrote to memory of 2980	2816	chrome.exe	93
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95
PID 2816 wrote to memory of 4656	2816	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-21_f8dfd8157ec08f57572108762ef28e25_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x2c0,0x2c4,0x2d0,0x2cc,0x2d4,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcef85ab58,0x7ffcef85ab68,0x7ffcef85ab78
    3⤵
    PID:3600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1912,i,13931003634336621202,15233860121799713961,131072 /prefetch:2
    3⤵
    PID:5036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1912,i,13931003634336621202,15233860121799713961,131072 /prefetch:8
    3⤵
    PID:2980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1912,i,13931003634336621202,15233860121799713961,131072 /prefetch:8
    3⤵
    PID:4656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1912,i,13931003634336621202,15233860121799713961,131072 /prefetch:1
    3⤵
    PID:4076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1912,i,13931003634336621202,15233860121799713961,131072 /prefetch:1
    3⤵
    PID:980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4316 --field-trial-handle=1912,i,13931003634336621202,15233860121799713961,131072 /prefetch:1
    3⤵
    PID:3196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4136 --field-trial-handle=1912,i,13931003634336621202,15233860121799713961,131072 /prefetch:8
    3⤵
    PID:3488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1912,i,13931003634336621202,15233860121799713961,131072 /prefetch:8
    3⤵
    PID:4788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 --field-trial-handle=1912,i,13931003634336621202,15233860121799713961,131072 /prefetch:8
    3⤵
    PID:816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1912,i,13931003634336621202,15233860121799713961,131072 /prefetch:8
    3⤵
    PID:3644
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5232
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff615a6ae48,0x7ff615a6ae58,0x7ff615a6ae68
      4⤵
      PID:5288
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5344
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff615a6ae48,0x7ff615a6ae58,0x7ff615a6ae68
        5⤵
        
        PID:5376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1912,i,13931003634336621202,15233860121799713961,131072 /prefetch:8
    3⤵
    PID:5864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2464 --field-trial-handle=1912,i,13931003634336621202,15233860121799713961,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2832

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:440

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4616

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1344

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1092

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1640

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4196

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4144

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1072

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5416

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5572

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5824

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6128

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5428

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5552

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5856
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5852
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1e78ecb06474b41cf0b455b06b40e92b

SHA1
7e9b968045041ea7607a2cb3f833fee3abcb54c2

SHA256
8b9bbbfebd956a31692ff758601caba12522a7cf9ada656e09dbaa03b89d29af

SHA512
4b287b1d95a83542f45d8226840811f64f8278d7c0813e79ce3f5ccb7b85c0fceb9f58f4bdc95279abaa6ac86a58678472e9d6d0ababddca3c53975282a0c36b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
a73d81b94275c6fb496060693b7510de

SHA1
054843d8ef70c18d33a0fa2cc03e2a394cd9e066

SHA256
3ae5792b5d8b2d1312347c671121ba06903c774f225e86fb06a592b7e369840e

SHA512
152ee8894ee95d2998d245a432154df083dd50899691aa34111170ca44fd17161d6119ccf1dfc22f4ce0234bc3aa80c91e34ce0e101afcb295f0a51e0d786a64

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
137367cc537ca1d66b9bcb733f62789e

SHA1
1fd0a97f3abddfc18423feb9a89e69d50ec7c274

SHA256
ab574993f5774ae51c20944491328c974fd828748cfbaed8408ff7bd6847af2f

SHA512
56934b74a4b63fc1acfd1179c32bd26a388069aa1eae601cc3dfdb41c3b5229d6030133e209c9f3bf41b3706bf0476020aa67ee2ce8d785c61be6a342d0cec3d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
313665c61a4072e475263243f9b33ff8

SHA1
7a6621d0c1f1151b12dbdd581cc51b2744050631

SHA256
08c99626d1813fed103deafba73f0b31ca9b421d59471b52719bf40dc0143806

SHA512
0dbe357fcdb0acdd6b21dc73dffac213226871bc75640ec9a2d16df6a0fe0eb3e5f96fa98ca6bc449db3eb37d287f22613cfef4e2fb0cf8322ef46c0d3da8e8b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
55a11c11cf14174d01f7719ab7026780

SHA1
485691690c3ed62f947019b03745d29c2c4767e1

SHA256
3d5762ef2e73a18c7b2cfad3fa37f9049bb272a3525f32a355167d49f5e902fc

SHA512
009951196c2dab768fcbc11320a3bab8b4d151e2f95c9ac37071d5f4c09da4c67439839ad8d56d20f64f8a8fd329c4467087ffca5848ae7cfc7e0c6cb92fd3e4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
bcd1c604525ec86eeb4070d304fb288a

SHA1
68618c0c6ef4e7bd26e27d66587a49993e90ea47

SHA256
7c8510f33f2b0427580c9ce22150166f62611295497fd22a07617e392004eaa8

SHA512
915155cd77153bdfddebbfc925dd219efba0143ca0fd11d619ffb35f7f9be9bd292747c97cb30c49a9cd25be1d83dffc59b07a5947622eb6acbf7edeb9dd18e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2455b3fe4a405924db87b249b07d222c

SHA1
08e3dda2651a9dc4de766d6278da979dcd2a1bac

SHA256
d2373d6cb71da777a3339ff958210d60ba4fde7a21aecbd3838f540bf2c38ae7

SHA512
9c0b63da34dae9c329a557804a3ee9054be3255449ecb613f42ab6390da7a9e116484a4f2feb80a5a671b108c9fe45c369809d6ca346d700341b9ddf984f5adc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c4f0c651b15f46f4c3a9f32690cd1167

SHA1
a2664964b733ce7390d1bf4411fe1e0494c07247

SHA256
fbd9c18a07edc4b1b4640bebea84eb896040d9dc39c64697c14306eb1612aa10

SHA512
ae76e17ffa3921c20b41f08814a975d1d4644fb492323fbdccbb96e1802328e6b868cb59b15166a555bacf28a4f40d0685826f04c1036d2e699d120c990239f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
9eafc4893df9e8f0e56b53f333fafa02

SHA1
fcc97f298bc5fd491fda91dda308f871366655b3

SHA256
905cdaa391ae4c28c4c751b631f7b5dacd7ad5b844eeaf179389e0b2602c67f8

SHA512
2cab8bb8569c026e3c9e475dfc4cbf564b135d8fcbd90cc16dc7026dfbbda77266db21461d0f8d672bdfadf38192c4f20634661423b7eae6de682082581a503c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ea92338cced2ee54fb2524ce085cfe09

SHA1
7647af41a02ff55605633991692e2a434f18b91a

SHA256
11122f561949ac2f320ccb2cbe4b7f693204b60ef30de45fd0af958446448b6e

SHA512
0ec6a8dbbccd43dbae947d480ad8e15f6dd6ea373d9d6d7dd90ca798b848f0350fc877e06b229c43d5547749a1bca41dec87d37422ff75c0c2b864952c8c69a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
403fe0628ed7165e39516d04cf67820a

SHA1
445f374e1ca4109ac603ce985529ccd289aba0ef

SHA256
a770d1385baec48bc5380da2017dc32112f43a2977dc3e7964751cd92c7761a8

SHA512
3a32429c2b8561731115c4db064c2455c558b0048aaeb56da86d741d95c65309ca71f39bd805afb90e4d9d16b1960b7930bf87d5fa7dce4bcd024f3ae517de5a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
484af1468b6e7319432dcb90f58028ce

SHA1
3b2226ba83c354cf4ac28013cf8d0f1659d54a14

SHA256
4cfd739ddba6db7630b31e84d3d3e721543acc159d836df353a2d5aeacf81d4b

SHA512
1974952de5eb89fcc6f1fc339c889b70fd656cbf75637105f50f66a016c5543188e222e2c92e1d28e750dc49508a56313778c3b9c60be0cda369fc656a7fad49

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e4fe1fc14755de6f080e76c6365cc0d3

SHA1
5b64bf5e5b3a4d2197f5f296e44814b1944ea2e8

SHA256
a2cbda278a85bd9e94e40fbb4264be645933c9eea6a08a65040a3dc691a92e24

SHA512
91528363a29dc43218cef54c09c9dae6667a7669bfcfa80f1c587f1df739338fbb3dc287e55a4320e31b3b433f2b194911e4d8d32d9a48ecaec51ceabd985036

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
154770391a3fd2977f959210b2c20639

SHA1
c3c6f04466824b2d98be64ad017c7da58b773a3b

SHA256
a5ca6325c96cee7c427bb02c7ce455ecb921383827516e935411580dcc9ae22b

SHA512
177388b4a57ce134e3c49a561b4792070a907fd8a68a7bc243cf137768ed181f51970e4c751d8cc1b4af318a576f05c26692363b520ed4dd9dd22dc4c7fb71c5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
7fafe4e89fbcb1639f6d49015d36227b

SHA1
cf98411915380447c8d2a2fbb8a7c3d8058774d8

SHA256
9c1ba35c1297f0b2837d4e7ccd119fb0de770cda6d4a6b4021017122b26c596c

SHA512
50d8f6438ebcc76781453cc4956030bda23ab0edf01dc90a11d76ce76364c5949655e6f853615461a47e12c9cf6c0687b690e5dc70af06b55a0497f448304446

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
82c7ff8b12093772dba6e416a2f6104f

SHA1
0f58280dbd03db0c4e6e082da7125c866ab7c15e

SHA256
80279fbfc3eb0996aaca95edef6479e03c31539a38887ef30af946dc14a9ad71

SHA512
9979534ca18db199ef31d61ab938faa5acf5137366f83c73082c9005ae7fc663980325fac1d7d6098ac6c449e4a88178d813191b8b1820e2e9421a2aacbe60b7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3dd1c362ed8f350225c4321b2d79d62d

SHA1
80459ee90bfe3d4087952c9307c14d2ee4c6fd0a

SHA256
66ec0d998cb0dfcbfd0395b8412a5bddeb36c3464c80bb1be18cb736a0d3ca34

SHA512
f6acc85f5b685271ce74c085eb736e3ffa7e55fa8b630f383b24fce526cce5bf8ed3c43f9430c4d0c4ee15814db26a9c91db018891f5d3d543f69d67ced519dd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c0f12e3d76f441e0d1fc1b44b395e980

SHA1
84b0a215adb24298a9e9ecbb77bf7c7a4e19c1c0

SHA256
add7c5e10df1059598a73999e1f85770659045a95fe6d4ab27684e93374cb7a1

SHA512
226673e5343ef25d7f61a894f0ca424e91dc750f503dcbd3a8b6c9dddec8f70f98ab6240998edcbf1533471589aade7e30009c3cee6f8edca8d3f3ee11b44533

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
93f910607f8f4c7122442c8f596f5dd6

SHA1
b24fe6ea3f2df576285b9f8a0a6ab5d6e3fc42b7

SHA256
0ea5440afd345ec796300fe387728072efdde2c3be55636671bc5a79a14c4e9c

SHA512
35a8245e43db5b68355ab62a7a36d4d8f57aec9e0fc7fac77a28b8ed330183d92dc3999086dfe4ef0e1a72e9ba926c4c875a682c32c5951c88a93a19492a8294

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2f2acdad67d0ba51ca42ac66c2cf3020

SHA1
dc9e93bb9d439c255dd4dec7c1180cb9668c12ed

SHA256
029e82f56c919cb5f44c8609fd1b709d9575c753a3d36b74f2b4193e4dc0b10d

SHA512
9d9ec6847d743ec251e5b4effb1be74edf03d28b41fe286305705444139aef075da1620a0e0b5974173681b7dc6c91c4bbede01bcb85669fc4c5502a15014ccc

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3ca707ddc202098d72253e07b1da0f7b

SHA1
0983c8f32c4d46d21daecb4b5d5a8b21c4a7f40d

SHA256
41a62d68f1562c17d1ad0aa722d3bcaf22d484b4bc12ddf3a1380ea9bc36b34e

SHA512
6e09ba35061d94420ce5c28d62847579b9c209dc0d87573ad840f805ba88bd00711279e4d6bf5e87eae135445b45687a6aba8a421e487ef6b25552a35e93b2d1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
201e47ba1e0322be21d3bfd1ad6bcbe6

SHA1
fb7a1d5e84ad450cf4eb84656f5f9692f2d1d50a

SHA256
7f4f7d10003c25b523ed04a52ae2f88a6b8fa32e9d1f685c64b44bb2dc395028

SHA512
2aaf114acef5608a8f116978542d34cf6871b7485b40a3ed7a2636ee6dbc2acfbac551cf210aed3abac17fe654c446df91305897077304b45549e86f2adc6655

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
27cdacb86a5c84a5f3d210ffba0e0e34

SHA1
edb95dbbaa7fbf207dd5efb34891af7312ade18b

SHA256
99179c316d10dbec3135c1d6a5c890c342ffffff6f2b368ffb76b9d38f9d2d4f

SHA512
9d83e6100b7a261b02d0442c2c68235f51b0b66f8badb3c04556970f33011236792dfcb708aacc737c8b8cd6a48b43277bf84ad327ac15ff124a552e5af90b3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5054ffd265fcd75aaff700c0bbfb8a80

SHA1
8a4feb858c712442ee5a91e3f79feb90513cdeef

SHA256
095ab0bce53cecc3de2091d977dc4f6a2ed031eb944aa8d32e033caeeab60c19

SHA512
d3f519006c9b4e4c51f445a10d2fc32f541e30700c8f03a03316ea855775d2c251286bd198d3d68220a173ee7198e7cf859fc7425fa5d7475dc039b7c629162f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6a2837559bb1288395b91050d08a052f

SHA1
db1a98816fa232ea7d09201dbefb80ccd8583e9c

SHA256
bb1b8c7fad8ec35473bdb69fd5681ced599480f3e3cc95ca9bd55907f3aea2a7

SHA512
d1323bbc1c166b493bc06d0d271cd8ccd28f23929c01d6d17dc0358033d51abc577dfa50719567e17edcda0431a367ce50b2165fdf8fb4ea2f96fcd49fd2a90b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
97fadd73e84c788d41e8808916cf9b19

SHA1
20b29c12960a3bcb56ef513f57f883f8a9d4401b

SHA256
8fc8512219bb362ce11d6e4f4b7f1d6f3550b5fa6e61673ddadc7eab3e69f904

SHA512
dc17149862355a7f3687afaac9c92c3692cb79c84b955e36e7718da4ca6aa26beccfca84346890ce678928aaa9f1b76b55a1a41a0d1bcbedac33a149f46d6578

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578a6d.TMP

Filesize
2KB

MD5
3f83eec20ea3491da5eff4ecd04a269a

SHA1
2bd6a1dba95902229d1ac874636ba43303ceb376

SHA256
458e9ff8954923b8a5788a6fc41f46f57097da4985fdfc96cc5a69d5eaf5cf6c

SHA512
662df191e193fc7c8602695472f8ac3b9298636386104dae8b118e562701b6e652ff5fac488d56a36a4dedcfb1fd46454b17212a5934150766f9e2a41e5c637a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
8a94781f0e75fdce3f632332adfa7749

SHA1
6132af464bcbecb18c2a15fab9f14a4f5fccf524

SHA256
baec4361b68d632af3ec0224ff64aecbcbd6b46d40f7dd0480b143d6465f38f7

SHA512
f48a695d0a82959da28bd7792e96a9542cb23e9cab6ac8b9cdce30f91d345070ad47b8b7722e1b5a8c6522904591428956f78835247eefba74cf247080ea8d5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
b2fd44e75a8d55cc2728c836daae90d7

SHA1
751e2b1983b3ceda769047f738e73da4a9c31633

SHA256
4cf08a41f421a6bb3596d047f501862c8a3b55e250e6824702952f8ef1122a0d

SHA512
eb8f850c5944e57fdf3ea5fc2fc5ddc8e73fec33ff6257518f10c98ca260fb1deef579db2ccc1128917e3576ece6b2896567ba1d25ea43e7202658df1df5477f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
4163bcbe156cb90fde39fa41b5a25c19

SHA1
fef28cbcc7dadf46d0ffd3b6116f01acbfae3a91

SHA256
7bcdb72e83e101666ebed7ea1eabaedb68b03aeca3633bbd2986138812c88a3b

SHA512
8bf8c0e03905437147d2e929e19cc3c069ad5f9a7c56e9f90d7388457b02af3339e91dc0b275a18454c37f8531dfc15ec255a06c5a891c056b16f86c4c93fc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
b0b3cd829f37ac74b06f05a9ef5f53f2

SHA1
4886955be0cbe593b26082caa899bab48d84db08

SHA256
362bfb847dee724749041dfed46d944619baaf751b56ca1c0d8ffee31ea4eaa5

SHA512
9acfb963502bf17bb13e14ffa4709c6cb951b65525fafbbabbf306898a437b8614184928157e32bcb8f3db72b03fbdcbb70c0b5e265d53274eb96349d760da8b

Download Submit
C:\Users\Admin\AppData\Roaming\5e9522a5fc7bedf8.bin

Filesize
12KB

MD5
73ae5542c2b4cf07d5d5dd1c44b0d5d5

SHA1
361e4ea5b1601ffebdcb1c972a88586d116b4092

SHA256
1757f137138e7ec60f4af2a624b1172c0eab8688faeb67f9f1e4e2c7b1342f2d

SHA512
0efb19f70759f42b4d74f539f5d79aceee0967e0a0b09598ac17196b178adc394a5d5a2242cb4d2b2bef8d66842d5259b3d041ee0dd3cefadcddc7906c1b66ac

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b93333f09cde9769124e4a4537094a9d

SHA1
168144edbff31d14f3d558b56881fc467c53769a

SHA256
8458ece0fcee327b24804e585ea8582cc1ab07950b440c5c9c3750a9a5b710f9

SHA512
037ab486f2a57417bd40d8c94ada4edf7262b09b9abd09e9807e392789a733d492485ee7d6b6021bb3a620449e0943671348bdcfda9ce515f9b53a048fb7a138

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
788919e277b6919577d652d9d5a4dcec

SHA1
f87871bf827edf763663983b37de9661f9c6bdca

SHA256
9ddccd776ca4daf00e6e08b473ceb72707c5a80ad7f3af2bd06bad985096c43a

SHA512
5a4f0b714937be676bbf30a2f18bcd7e9d2aee1368478ef383f50064d496993f764c9e3958aca69b6abb35c33a611f0bc8a62243c861a9dc35c5a7350092038e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c76ad5d840fe04c98e8647690f8f935a

SHA1
0861399ffc93d7c0f786de39b12198e3920b564a

SHA256
c8820d07b978b8239bd889fd319c731a39266294b5626c0ea680c47cbdc761fa

SHA512
545097f3c2766561042b4a21da9988c5f44bd6ddfb2142e1fccfeb65f5a1c1a230c50c3939428ef46bee9c88e0a0749885e0a5b1d147c2b126908b2644f69b24

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0c666de454af7c4b1e4ee970ea8f4929

SHA1
cf427f5cb2f9f58c1e9eec1fc688f8df1f5c036a

SHA256
7e9ac78833d4b77fde028f379d4a03e7f13926b5c22e47eb8983d44730a7c619

SHA512
32d0e455c794037993f7de15d57e7f70b4000dd45cd8e98dfaa21a5f6f7285ac137818e423b37e67c42abc5b1233507b3dcd214932435ca9c715fa76c7593697

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e8babd26db5364999ae957ac2bfda99e

SHA1
d48a54e0f48a3c3d180b4dbca741fcabd42c7012

SHA256
227b71b74853e0a3168354f7d32c8dee8249b3c778c551a811abd84f1f48e234

SHA512
5bb0cf68a2f31685c455963263e47b9449293c6bdfe860479ce2cd35af7a662c13bd059f3755f7aa497815cde7346f497c08455099770fa883a38cdd8408a41f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a02f4aabcbdc764d2c73aaa9c00a0fc1

SHA1
90c0b2c2353f252662ae706735247ceafdce91ca

SHA256
78526ebe2c71fc15b0fffd62f270cf687d49f4d753e7d373ec8eec1d42833c7a

SHA512
b46d4da8cefbd1a347367d960001af6cac4b4ca8ec89eda7cf6e4d51e641c3bca5950244fc21422eb0a4d2b3eef3f7cfde78fd3639980db3b1cb5a2dadce4d91

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
50fd9c25dc27be11b22c449055f216b3

SHA1
6eb2aed71f82917dfe6cf3c14abf0d2039e496fb

SHA256
14c5b0ddf8bab56f9852907a77f88ec846275bf9a46048305ca531448296afd3

SHA512
ad459f6236b87a19d712fc7abd79d0bdcc77e5db0861a4846d2ee9e68d19ec2e0454e39ff45df9ed60e344390ab847a1fb8edb030b73ad95568923ba692f5fe6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
86172efd44ccbd199b7957e97c4e4a5d

SHA1
9301457a8eb726e771eeada971ce9012440de2e6

SHA256
d7df199e7062efd79ddc3d9d500996fb4fbfc5ca25de41e83e91d402d82519f5

SHA512
4cb6b691f3c017def9fea9d7d54a66652cb62023c46ea84ed8c436e771c5a534a2ed983fdfc2ee8e066caf130314d7ea932848f63f78af30871d7eb9f74bcb7f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1b9b125b9e24b6e58a63fa2e7a5920af

SHA1
3e984e8cd634f8528fd244f822105ab5dc772ecc

SHA256
ebf3727a514033c63adb58327f2a31f14e9cfc586b0cf0f6b347a3d2b58cf984

SHA512
9806d3c205ccb347502281bc0390f580c7bf408af3b3ed6be0549e57c425f210e2beabc339eeeff80f255343b3427ece5e221c291ab53d44ea4cd075e675e7b2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6516b54490a2cc70af6da7596877d588

SHA1
bba5c1dcf8cb234463fee95a7398118d47512725

SHA256
3f09e2a9efded2e2547ac3af3b4a46ed31615922c61477183796a5b2987dda57

SHA512
14b804c4e9e8406f0fb6254702ae09de1f923b0205fe3a1d494c5de00dcbf549eb44d4599f364d486e16e77021c4f67b511906735b3226fb1eb5b26850d12a92

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
47590934766532c1ec32c342f4b73444

SHA1
5d024ba83ca17433988bf85920a1987a25c1e0e3

SHA256
55412a4e03c271e37b79bfb6988402c1092f24b17446d44bcf78de731032982f

SHA512
601680d542f323bbdc447470fed65530a097a63960d846efecb879a5633ca635bfbd8306bf981a7f31cef3feee61a8e91b16505d5e04c1ae7dba6fb4a4f2b960

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2fbbb32606a9a019c7f222bed127e020

SHA1
9662060923e838572809463a3b4c77630613b37f

SHA256
08a04e73e977d59698be19b851873e648240d1670e8cf1b36cc10b4191bd1857

SHA512
76b4d4808bee2e0075ea227805345a3847ee38abfa813b66a0d197ad3e1b9b3c5b7f49bd766893462a74dbead864675391ad1a059b1091754895bfea64690267

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
5514fa4a537872eeab2d851ec5a5f76c

SHA1
7827b67c5a23d949dc8f716f31c2ebc2753d19ac

SHA256
4e75bc0ad9db111abffb1e76dee3470ee6255a0791e9aba492b068f8f48a441e

SHA512
a729ff0448129fb300cb92253d78ec593bf2185a0e5692ebb4cd74e489cd6a97c4973c0b2469aa3e047d4e5cdb35ee100e1eca14b6ba442238fe86647b762cdd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
7fb626aa3d3deb72d89b67580a827e84

SHA1
22076f78522b9f826a05692408f4ec0402fc740e

SHA256
9d0738205ed1290f9a293b3d742f7e4d01fa9e1512a0d8ae9011bc6999fc246b

SHA512
6725dc6134e0f8be994fa7ab9cb12259cf0efb8cfd48c1cec6be9598f7a4dbe491004066bcdeb7febc124c9d92d3147a529974e67c9ae2de43474c52462d350e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7451bc4bdef7a13f43097fe24475092b

SHA1
5cd7f77d6a8c14c0a342b25c05ce7409479b7e25

SHA256
88e87109d47f47e1d546a741014f0987e35f056942711254ad08c4a522f5f473

SHA512
95b5e929375953e053fda904b2b2d348f24b1a33b6a661f8b63a6d438d9ce46a0596db40f7f6909ee09429061fb61166b084bebd011d8144cef4e85dac4c8525

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f9c0271568137ad0428bf09045c96956

SHA1
2029d24bfa18bfea7de2b6b5a4528994a8d83a39

SHA256
d43caefb63d86fd09718e3e36b8c672b994bf6f949a0d6b1c8c4ff5d2b83e3eb

SHA512
b7a980b607e56cd951775db716fa4ff1f2746c118a6ca5097126a6e16fdfded734c84e870dbe57bd7d0ce931503f4b12977b01d084e7b49a48af2ec3cb13a021

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a413963d09a9f1d59522250ade568ec9

SHA1
97bc26859f5105e963152b6e919a9b96a7803126

SHA256
635827fc077a50c1333ad865ae916122726f1f511b014ca570a26ad6270931fb

SHA512
655571d441444f8ddbeeca9ba2320b9b4366e38ceb1cf0adc7bb2e53d9fd5423ad06d292bced43fd97a5571c1f94498bd7ca96c849a99c93ec025bb4e2889700

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5c44846feae890d35a4475c18f64cf50

SHA1
6fa3e1d9e3039c4613f9eb36fdc953b4b99c546d

SHA256
efcaf7634a5b8f3c0c2847485ce6a18072d5bc5be4002be0baa9f2c0fc754e8d

SHA512
bad25aa83ae84dea6215404175981475729e1c7b36e962602821824ad5829b3a1b6b9a35e74ef12839058fb3269ed7a772816c5f182142bfd31babfe01f18c80

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
b2017bc1ad588db6593742f6028f2b8b

SHA1
b78a7d3575326f7d3c3b9d0e588cf171576fb803

SHA256
30cf58ccfca0689267931d90c8e331aee3754f9c101476d0ecfb9f87e1ef6af3

SHA512
66af70621d5765a0249f61f175113d36649c4ee50a1a97a88af67bc335d22ec9a7141cb580314b448439f6ddd37577c894403ed5de32f2b9bcf81c5e0f24f270

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b021cc19dba4cc9d925c9bc135cc9971

SHA1
6176f4a3a2e14a7f9fb2f8256568924c4508c3cd

SHA256
d2a8839a5b419fe868070b70e66bdc6ba1173f87e9513405eed0ace12a451d7c

SHA512
1fa18d202aa04bf2f747cea4e78596d2b702644d2aaf05001648bdc498b7aa7165bc348565a36669b2adce4dd9d4f7bf27f3d5b51377ff7a8df0e22860ac0865

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
6c0b6bd4d4481a944fc19a9179e43e74

SHA1
e41ac2648a34a33e24fb14c42636583b9c1dd50a

SHA256
aab69e214df8951fac9fda5eb0871f879162f9776284eed5a7dd22108a09ccd8

SHA512
8d1a6cc8e5072bf42dabe05508a8db43b265eb23e0a20a16ace5d91261002b53f9b3f475929397e542284408b0047561175e2854aaefd06314dbd021f9588ef6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
0973db30994f5d0a9c25566436ce3bf3

SHA1
4553d9607e050d13dfd6bacd502595dd0696ad3c

SHA256
540e186813908f4e256f8e370d28291b04450cf89289c0eff54e441048700cb5

SHA512
33caffd6f2b53fe50fb4791435b809ec81664ccc449a0c82763d069c552d9932c2cace233fc3bae7c94d40f23cd56b358ab2ff67a0a6c161457dcfae5f2bc8d8

Download Submit
memory/440-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/440-34-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/440-110-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/440-19-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1072-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1072-258-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/1072-251-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1092-102-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1092-109-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1092-99-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1092-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1344-91-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1344-112-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1344-77-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1344-107-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1344-78-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1492-52-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1492-133-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1492-45-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1492-44-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1640-137-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1640-221-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1640-142-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1640-211-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1964-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1964-58-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1964-94-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1964-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1964-65-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2204-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2204-27-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2204-7-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2204-32-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2204-2-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2364-126-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2364-135-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2364-138-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2364-115-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2364-118-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2884-12-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2884-100-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2884-21-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2884-11-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/4144-238-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4144-246-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4144-328-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4196-214-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4196-310-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4196-222-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4516-249-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4516-174-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4516-182-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4580-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4580-159-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4580-171-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4828-266-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4828-193-0x0000000000810000-0x0000000000877000-memory.dmp

Filesize
412KB

Download
memory/4828-187-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4828-278-0x0000000000810000-0x0000000000877000-memory.dmp

Filesize
412KB

Download
memory/4988-199-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4988-208-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4988-290-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5308-280-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/5308-270-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5308-355-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5428-365-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/5428-357-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5552-371-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5572-295-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5572-305-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5572-368-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5824-312-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5824-322-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/5824-325-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5824-326-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/5984-330-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5984-338-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/6128-351-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/6128-343-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download