18e0ba14926a0976ccb920948399e202b8f940ff3e82b2ac62b0848a89778a1b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
Size

5.5MB
MD5

de4e08342d8782767dad471c8d247835
SHA1

51b0cdc3d4ad1b81e2780596e8a717d8ce412e29
SHA256

18e0ba14926a0976ccb920948399e202b8f940ff3e82b2ac62b0848a89778a1b
SHA512

2487752be7142737e97a7ac2537d094caa0d0dd24885973b83cb9b3874d6cd8a639c35d34a334346130fff08635f3d0155e3769f08df68a75cfab72c471b5400
SSDEEP

98304:HAI5pAdVJn9tbnR1VgBVmWHFdi4VEk0V:HAsCh7XY7LiJk0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
1216	alg.exe
1080	DiagnosticsHub.StandardCollector.Service.exe
3436	fxssvc.exe
4796	elevation_service.exe
116	maintenanceservice.exe
4816	msdtc.exe
4008	OSE.EXE
64	PerceptionSimulationService.exe
2236	perfhost.exe
4540	locator.exe
2284	SensorDataService.exe
4276	snmptrap.exe
2320	spectrum.exe
1000	ssh-agent.exe
5136	TieringEngineService.exe
5256	AgentService.exe
5544	vds.exe
5728	vssvc.exe
5840	wbengine.exe
6004	WmiApSrv.exe
5176	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2f74426c74f8f84a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088630759a895da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004280c59a895da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060c42859a895da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133583689164487415"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1858a59a895da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006920a759a895da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c4c5159a895da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3692	chrome.exe
3692	chrome.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
4332	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
6792	chrome.exe
6792	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3592	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
Token: SeAuditPrivilege	3436	fxssvc.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeRestorePrivilege	5136	TieringEngineService.exe
Token: SeManageVolumePrivilege	5136	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5256	AgentService.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeBackupPrivilege	5728	vssvc.exe
Token: SeRestorePrivilege	5728	vssvc.exe
Token: SeAuditPrivilege	5728	vssvc.exe
Token: SeBackupPrivilege	5840	wbengine.exe
Token: SeRestorePrivilege	5840	wbengine.exe
Token: SeSecurityPrivilege	5840	wbengine.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: 33	5176	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
5460	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 4332	3592	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe	87
PID 3592 wrote to memory of 4332	3592	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe	87
PID 3592 wrote to memory of 3692	3592	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe	89
PID 3592 wrote to memory of 3692	3592	2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe	89
PID 3692 wrote to memory of 4048	3692	chrome.exe	90
PID 3692 wrote to memory of 4048	3692	chrome.exe	90
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 4584	3692	chrome.exe	95
PID 3692 wrote to memory of 2052	3692	chrome.exe	96
PID 3692 wrote to memory of 2052	3692	chrome.exe	96
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97
PID 3692 wrote to memory of 4500	3692	chrome.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Users\Admin\AppData\Local\Temp\2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-23_de4e08342d8782767dad471c8d247835_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac4d0ab58,0x7ffac4d0ab68,0x7ffac4d0ab78
    3⤵
    PID:4048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1900,i,17088085800394645718,7937199117426873325,131072 /prefetch:2
    3⤵
    PID:4584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1900,i,17088085800394645718,7937199117426873325,131072 /prefetch:8
    3⤵
    PID:2052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2092 --field-trial-handle=1900,i,17088085800394645718,7937199117426873325,131072 /prefetch:8
    3⤵
    PID:4500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1900,i,17088085800394645718,7937199117426873325,131072 /prefetch:1
    3⤵
    PID:3840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1900,i,17088085800394645718,7937199117426873325,131072 /prefetch:1
    3⤵
    PID:4828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3576 --field-trial-handle=1900,i,17088085800394645718,7937199117426873325,131072 /prefetch:1
    3⤵
    PID:4832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4432 --field-trial-handle=1900,i,17088085800394645718,7937199117426873325,131072 /prefetch:8
    3⤵
    PID:948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4200 --field-trial-handle=1900,i,17088085800394645718,7937199117426873325,131072 /prefetch:8
    3⤵
    PID:696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4720 --field-trial-handle=1900,i,17088085800394645718,7937199117426873325,131072 /prefetch:8
    3⤵
    PID:2324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4860 --field-trial-handle=1900,i,17088085800394645718,7937199117426873325,131072 /prefetch:8
    3⤵
    PID:3536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5024 --field-trial-handle=1900,i,17088085800394645718,7937199117426873325,131072 /prefetch:8
    3⤵
    PID:3048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 --field-trial-handle=1900,i,17088085800394645718,7937199117426873325,131072 /prefetch:8
    3⤵
    PID:920
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5188
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff62b18ae48,0x7ff62b18ae58,0x7ff62b18ae68
      4⤵
      PID:5348
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5460
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff62b18ae48,0x7ff62b18ae58,0x7ff62b18ae68
        5⤵
        
        PID:5488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1900,i,17088085800394645718,7937199117426873325,131072 /prefetch:8
    3⤵
    PID:5332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1560 --field-trial-handle=1900,i,17088085800394645718,7937199117426873325,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6792

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1216

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1296

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4796

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:116

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4816

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4008

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:64

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2284

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4276

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2320

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4900

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5136

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5256

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5728

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5840

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:6004

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5176
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:736
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
41d22d19094f22cac3dae6d6e14a33ab

SHA1
fd486241df88a3b536324e2c255c5e3522daf26a

SHA256
45306382035ed3a909ad4fefadb0bdfe2680a8eb78c99b0fda2849223e2f1e6b

SHA512
678fb0fef6245cffae239437fe823834bd1caa30af71ed478730603b959e664098715b649a24b774f0245857372fec9366253d0d034f9b0a0f651f0566bb5cd9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
0a95aaf1b48eda5f81b6ad0f14c6047d

SHA1
3c30b358164a38b87666a72f387ff6db6901bb23

SHA256
14fe0597b29a809f8988965acab8948d34c5cf9ab324c5aa3bb5c7b88eb2aec9

SHA512
b2961e80f5ca54ab404aa62681dd43a435a15735635cd039d9a5128295119ad68069be86074c0315f29628f3e0bfcbb0e57e255ddd62e6152f84c38a4a4f4476

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
41721ba8dffc759c884d4034c685c1f7

SHA1
cec27e4f5a36589ebdd2a972101f757b146b1f9d

SHA256
90a4f836186485ecc611f11b2bd4c3fc32aa913b0a1bc98636b90e43a288591a

SHA512
f9eedd50ae62e2d04028e30c215629074b67602a86fda206d55db8f136f39ab5cbc10e06123009f9d7ff9c2b98a4e3623cd8eb2a397f954cbf417019f095c121

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
705fef1f2de6584f8b5140ba006b5023

SHA1
ccf3b37ab6086ce1124c3d56d64563794b33f109

SHA256
c907782206408f86f2675b81274d5402dbbfdb37cf1c27dfd9ce82e29dadb1ca

SHA512
4695c85de828aa6fc9c57b3da6e491423a4259686b6e121fe9d1cf322677bf35ea9c4762800417185fe1b4ef13d650ae8d31dc26ffc19bf28fbd6d83c06d2a16

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
48cc5385ce7591c7f11d0d899ec5b162

SHA1
f8d543acb1c267c44f5412b12afc86b166794a5e

SHA256
0eca1f0586ac968a0aad4529baa593edd2cb976d25244854a73859575d258dca

SHA512
d55b270a618f4907996e5785cf17860bc08a1c183b020c5a43cd8033c8c110bfb30ff2f278e53cca88284809d69153b2bf6395849926f3867fa87f5cb039ecb1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b5a165be446c200b0cd0d12754c95c0d

SHA1
01160ddae5b3eeb58f8da83934daa8304ed78b3f

SHA256
76db71dfe16ad357cdf65191e5d65027cec5ff6b5b97dcbf8365940131e8ca1e

SHA512
4f030e532f44b251d51c4d8b335d4e45967fcd275ccf5e7e34eeb8b974b3eb8e4ce7b63e134f390eed38e26264cd3c227ad6673ee90a1d0541b38a548cc6c9c9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ec0b294b0708636bca4bfff243e4cc1f

SHA1
ac8f4f1ba5bc5f77345f5c7af4a1fa77d9297e1e

SHA256
eaa351c4b8c63cff4bf3603b0991c869a8bc145603b2352198f19d385e846048

SHA512
19ba03cf89f1da62cede5ff4246d07ae4012ca6d3219428f255fc78fc906d024bb902e7dedfd1e6c8455b609036acfeb50d8a6bc17d9e3472d43110b5755abb9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
67e6da0a3ad560e1a64e941b67431d18

SHA1
59045f896c1e4ddc30a8e3e4a7e60c36f1bd0bff

SHA256
bf6efaa0fa1b46580c9596a8c3c81566b6d8dbb5dadb6d16730ca07053f4209c

SHA512
9d55fdda6b99945045936c4c2aebe5bce54ffc52a491f3c857262fe737613b5dfeb11e6e8b66dc4a4faa5134c98c0c9f77f533ad8dac96453600ea512df0c48b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
575e9bf162fda2a3316a4b0cc86aaa3d

SHA1
89a3f7d56279056ebd5284a236cfc29ecea30343

SHA256
552a8e61c54ed94c59e5d643b91a5532f8fa4ea62b3e4bc1f3229d296ded8409

SHA512
9c69927e07a0977e09a2b1ae81fc280681b1b3684bceb7bb344ad12ba199123aa2326683d91c984c9c5d10c511940495c3a86e621ed9579a8f9f293fd6e524fd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
97b1670b7ab5baac7599c3823b2c4ff2

SHA1
7acceb4cd3854669dab6940e5683a156db0883ca

SHA256
a68b65897b41d21ceb234c6ef2fbe1d02d467dcac6c6b027d1f73288b054594f

SHA512
63bb125050304683679d2e2ee8c236db8f47f7fc3e8a1331300a0a3f7c5338959606aae95274caeef54ff10834497a5aa9575dcab28116021969b0c89a2d0914

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
acf6f300b331ed2974c1d1fab50f119d

SHA1
d5f15dcd48a567a858f19fa5f7030307ac512c59

SHA256
22304cbcccda112b6404f7ed4386f72b189e130291b603faea2ff13cb48de1d0

SHA512
c7af7d0c4b7b186e6656b9dd3c10f935160fd80eae6d2d43ab0b4104eea419c952931d5f86dd3a851f97aeed03f0f4f4697fa66c7ffe406b519507c99c2bf049

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
44b89d48c75bd29ec7adfd2bc0b7570e

SHA1
ba821da6febf9031091343482df2b59354d8b9a7

SHA256
0f93bee68b08abc9663482a2c21c944cb814853464b904aaea2daef949b877b2

SHA512
5bed405163c15372b8d9734cb999f473605c5d37d7da933c910b5ebe11f8230e3677f5af49ca9cb88f6a20ee65cae675e113070c7cfb2d840daa76672fee0c18

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
31ba82d1b8791db40e4489f3bf0768c9

SHA1
b2ea4f3c663060f7f7671e20ff71f94faac19300

SHA256
ee00585f063efcd7ee45ad441c90eab421cfce7430649bf46d352fda844c02a9

SHA512
8cb597a391fafed2a68f31624160d39702857457d02e6949cfc870e06fb0ad4822a5066f16854db53fb7d07b60144d10ff1f355fa474c3314d8c8d206d5d1f67

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
82e9f4afd961506bb6fb2d91d43f3ef7

SHA1
bffb29b3b085d1d341691d71db386669ce571ae2

SHA256
d0b9322af06ee2cfcea155502fb17823d8ea34609dc4f8cd81060de7f27d64ca

SHA512
28acd9217eb3d0548237298da5d3a246e401ed3be2362bdc2a3f67868da3c79b6969fa25eddb3021949b38124f1f8f05f426c420750829ba5869fe209a875b73

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e60d221b39c7874606bdc473e7b129ff

SHA1
abc3410ec3635c9f213eddc05bfac5b811c71f42

SHA256
6e85c6aa803047e7a62fdfb3cb9ad786f91ac0ff2d6106168c98055fd4505dcb

SHA512
ff43df961c08085cf69a9354a26c1ca4b8c35046d426141c01e0fccaf000112ad43897dcc1935228a2b767bdb81a86ad5681cd277bec275543682e414452cda9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
6e357573a94813ce311b0a68bd4ee018

SHA1
a80e2801ba564120912acffdba780b75b49914c6

SHA256
bf7a7d2554988f7ca23ec9f69dbe611b5dcf48be9cf52c3ff9a33377da026482

SHA512
a5ce0b2c780bb3a4693dc1df58f9f010eee373e5f91e4c8d027d1c0bbd58a185ec8ed7bbd5b2bec2464c496f0c7c8eda134d159418f6fc8aa3722f7d4e07a488

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f2acc674980944c443bf8466bd1f25a9

SHA1
f2f3525422770ab2e83ca1ca8119ab6675e3cbad

SHA256
a84a121698f196c09ac4bd89e4a05af528b7f9064481b0b608cb3bc53f01bd72

SHA512
ca89930fd969a8381b2047fcfb03a55d1142f1bfe6be66826f84c29b5d92f0cdb424152daa16467fbe46561354f08ecb35f24ac3b6c670099a755d505893b022

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\a0cac4ac-290d-491b-8b6f-c9a14244b242.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d9ea80f12b3206388474d3f04bf09e56

SHA1
07aac4ab56df08e080a8140d96749e5c48ff46b1

SHA256
921d63320c9d42793bae294420d4de41d856dff17088f4b34309292e7a16eb54

SHA512
a44b48e250163430cd16ad0ec65c255db0a1dc9fcff101c1440adfda4c2b09b7c970511e2818dc17e92393dc6efe7e347a05ea617b05e4eda2ce875d37b959a5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
de1a90a3a3b3a74691e4929992175bec

SHA1
00c122b798f08e86999ca83f94b9e6c43acb9c39

SHA256
cae29b6610c0d13de22efccbb779247b48d483efbb4a2dff4d79c39069d87de8

SHA512
a591dc3d2225f89b65c0ac9cf6dc991883ff61a032ac8c30709cc49c8795e35076650c76a392bb6a9f30abe87e26255eaa24622065f3c08648dae4f526ebb3e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
58bb95b4094ea52340b0fa368840c9a5

SHA1
03e801a2f4735f3f47b6822d4660e55210e56567

SHA256
65d15a1557409d3cb361251a31e7a620874bd504e12187d1260d9b80fbf6b235

SHA512
6931e70506a094e390cbcb45ae3bbca25ea54ab1937d6b5b3443890c5f436f5ee04dd587605ff1d7055f4f810d3ac690e1a42b39020e242389dddbce5f7b3deb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
37a58ac7f57615dd31181bd5f6445999

SHA1
831b27537c300467372be8eb8fdda20a476ccedd

SHA256
b2211db4c06bbb107be9b1f0d32ae649dc2f394664157b985abca65a926e7ed9

SHA512
71e05bd5dc45bed38fdf8a960be78ac6f04eca945ea549123e497032730c0f20ee014ed5233a642e1cca940d6a161965affb31c1b1e5910bf5943a7ac8ddc48f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
42ea751856ae7583866d580b8d431da2

SHA1
a1d5dbb1cc760ff67d0dafa65b9cc39bc5187191

SHA256
226ae790851205644c1e7058b99330fdbc8ef5b18e44c037cbb6ec477155a1bc

SHA512
295c30477c910aafdbf509868ded71b74f619c65356415dd94ccde706650091232383f5d9a258f4dbd0e9421e232133552498607fbadb61bde947d63c46df716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1e08a152e4dfeb72293d8da4aa8492b3

SHA1
87a1beb3e5df0350463446c236d2a719ebecd030

SHA256
704ab60cb17c0114a6123db0ae94775777e1c3fddd4045c5f4ccc094f2ea9dce

SHA512
f449651a5190d234d2e7f0059c01aff16ce1596c612ecec6057ce836476d00d2bfad1d50fc0c6908095835edf39b9a0c7774bf4a743766405729b93f06a5b0dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57fdd8.TMP

Filesize
2KB

MD5
8df20ad2489acd1e7f8a24fbc9a8362f

SHA1
b37b2bc2ee82f0b39ad3a80f6b15ad382bfe6c59

SHA256
6ddca1715870af630f7f8e66256978606fe92341934e897f0db7e5182bb39389

SHA512
8253fb905874f333413b730cbe021576a9ed2dabcdcc9c99400a8ee22792135052b60718defdf45190e05f3b4a70a95bab0a328a2c6d1ba9a095eee0ab4dc112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
b98336c48e617a05e5b081559cc4d6dc

SHA1
793b3f242d68968d579e50308e66f8c7725bade7

SHA256
fd384fd47723df702f1961386b3613e6fe0d168cf8dee5bea30a5f6a2ae74c50

SHA512
6a7cd49318d2518e01b99365752936579b48f89b2f393eb30873dc9208c659bb78162817a88b282baa5737dd51a184e21688186c2e9bba6a6b9fea5d9321f337

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
8ece16a82822dc3684afdea22947130c

SHA1
dae952e87a1ab101f02e8843d3607d5fb4d30f86

SHA256
b3c718dfeb99dc6d131eff31ae31abcfe843e853b96727fa47a3878bddb472c8

SHA512
92672f32d56ba1a6c2f43599d4ab79d18eafda0331e6af5421ac58fad74cb865f9fdac8892c9538efe3c5dc3f9cec69024f1032e50bb78eaf04fc1baaa17721c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
2223d7e1158f582122aecc758b4804c9

SHA1
c00fe94f97eba429012be38ccd5fe239aced52a4

SHA256
d5b8447580f33f1a6ae9d153008fce61ce006e4fd63ffe5cb8cf29978e9d9134

SHA512
537639f084110782f1ddfa06d3e11e983ba825da01c9b1c4aff43decb9dfd6ba14ee40673dd0deb3d490a6c3e8604b1657a7464caf890697323d5e1a1c2a0b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
d8b7b8d539f3d43282e9e7210defb06e

SHA1
ece4b470cf0a72c2fcffd11a52df554e42b97257

SHA256
ccd474c5a6a1457a8df5a58ebf122e4384d9bcdf272d59ccfa6c5e25568bc835

SHA512
42b50410d5afb192220f20b9711da09b47e863e96567bb26049331fc49dfcfa276340af94967c54ff80db2f470d7fec7dd964fcafd022231e4e8063507d8b6b3

Download Submit
C:\Users\Admin\AppData\Roaming\2f74426c74f8f84a.bin

Filesize
12KB

MD5
c9570badae8ff13922139c1ed2abfb2b

SHA1
d96424d95c6e70c4d16e00fde83e8cddb73387a1

SHA256
445c1d7d0ed7088a7d357eb6353e93d1a321aa8c6c1096360e3a66abc1050925

SHA512
3add98f82b615cfa972150c1026454b91edb401a6fbf05a053bb1371a8f95c1d75b8d44a720fc022777d63160ce9d112084288147c5c97ca25a8bf79db3578a3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
fd50b4f37c2ae1588a18ab3411862548

SHA1
38d7013be364f79e4927789fd1bfae4f004d1400

SHA256
e51c9c7018994173c781d9925366322d00eecd74b33e4fa69269f6b3920f49ad

SHA512
f2e4df93f58d256866e1fcc0125e7d7cb0c64d77981088e1ff116969d8c98c6f4e432c26c21dee854d1566a62309858de8b70b60b64132c8dc00cb80c2a69387

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9a79843fb30ca046a28fd9361ba9767b

SHA1
b18cf1bfdb161b2062ba226342514a498a11a67e

SHA256
a5a467617508d4fdbe1b964411a6995eeab0367a037cf2e3094ff605aac1f596

SHA512
d9de704f87505690bbd3c5d00c415bf06c0f1656a75667e588efedd74bc3ac51a1b32bb56c3377f2322a2ff52d828aa78d9f0d3759a5fcf814d74a79d34bbd5e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
80a9655389edfb9e71a71e1693530f28

SHA1
e6e634961bc5bdc2299b98e22e7ea9fce66a4e5b

SHA256
aeb96ce8ee689d94783d4325a2ff3ba6dc29fc90b770b4022cf5da2e18d4e659

SHA512
b4d51db5aad74e574a8c4f7084bbd4736fea84bed094269561576d22feba99edad51ae47539f1e481c2ea4b45a8a3b9e68408f66fad4aed56518a2e5e839d846

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a1addd9a357555fb49e7148c8533b72e

SHA1
4c9c4decade9d48d0aaa2500b920429c653f1015

SHA256
78e7a227f5e50a03123a906f04fcf88ecbcce2d6ff10ca85cd3441fd9998218d

SHA512
33fc4f258bb75588ed3f0a15544901383f603f4ce70ef0443543ba0f79f51fbad0b247b0f2603882c25cd921d83e93ec549fc3af43a0c38a74c085ad2e684f73

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e69f3b6ad0eacde86458720eb1a974de

SHA1
3b10d783f87f00479513b4d13be831ffba3e3eeb

SHA256
c189070775c055612d6761e8c7138a84c4021b42d463148e0bd224dd571cb9d7

SHA512
5d0ffa4d0fbc07ea5649c24777daacd59ecff29cb6ca0abd42847c1899f4a78d8bb6f5003bc0cf3b13b99999b733a0553b228f64d6923366e6bc08c454d15438

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
de17782c27bb029722a9bdedd0154e38

SHA1
980741f3eae432ac314de3768e139aeacfd8778d

SHA256
2edbd46cd0e7a0ca752c9a8bc7a16eb456016a6e48ca6e28d497e37a25eee7d7

SHA512
731cee145a1141a901104e11ee59a302f814151f98ef4f7d56fc18b800f9fa16c170aec5c87474abbc3050302d7fb7e97dcf2a451dbe234e70e33d0001558575

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d170c7902acf3d417962755dc578811e

SHA1
c9f32989e6a5c7d57d89a6e14ef177d8d6c012cc

SHA256
8164353bc9e7eec8d22b697da215798495cbbf1f00fb86f63cddd1d54aa6c253

SHA512
abfe2faa9fcc0347d09be48149f91d37b2deee8db5dce217f387e1f72927d97590fb6ff4dd0e02ba22409896667d20e89d7ce392d449b0f8982a6b36706f93de

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e6202dd567c4b2f62273dd0596a09b67

SHA1
cb6e59e0772371d44b4381edae9f8fc572ff1cf4

SHA256
14cfd8815d3b8b2ca1da420d347322ee27ddaae54a9cafa66b1a80dee4305f6f

SHA512
4a6af464578ce56628dc4e5a0cbeed60fa397933dd72682bd4ac9782fe4fe268f2346c79ffe774307802b042606870bf3839c3f60f4c8ff8e3c722efb9c0803b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
90f1b2c1facc5804fbf6b9e5070c53ba

SHA1
fbeace3814d456e05c0779126f96dc242dfbeaf5

SHA256
25ee619f9e3e3ba42d620c7f4717316ad535e98721a9d7fde43b2fc2af0cf35c

SHA512
69e5f06a3deda3971b8a1c9b1d435c04e058efdc7a777701111f43f09f29d53127d7d54137d3824d353e9dd1583cc920d800cda77814c527e6e65e6ad3d83671

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bf887ac2e873597a5216fe2b74ab5071

SHA1
84cb6c05b82e9f70c3e4339c441d24b15d932ff0

SHA256
e60c7c6bb3ddd7bfb473701b4601d1a6d165c589e0ecdcd6ccef748a9430eb2d

SHA512
c114f1150c19255c99888fde7820100b2afb40f2e034d5bf6c8569cf5930578a9d4565ce9d8c9d54556dfd31137b695909279a724c93ac51f885184a4108de27

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
144a6612bd03abedfe42cd95529268bf

SHA1
61f078d32d178af854d8a925786ab644a731d732

SHA256
b117ad686da5c06aa9f3bdf073d0df50bcc88093a1aad8a32619b6e3d8b805c0

SHA512
ad7fed608256267dfb4db1c009e4a127fac864faa9956b44d092d36c9a73ed42839701a44cbf456ceab27cd53583035c223970c32482f6ffde964165c9393a7d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3bb142b5bfcff83c8e06de19fa30d40a

SHA1
20e148a56dc390bb9c46bdcafd8d15b20b5b232f

SHA256
ddb71c4c2193e3687acabec27d26addd40bc81b2c9bd16919ee07e9df5f766a8

SHA512
cfde0e5b31febe1a69aa6eecf37786f509a4efe698406b5eaf5fce30f0adbff2c61b4b3f6e61df306f88b74a7a93e434838a75d852bbe9314e6ba24551eab319

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
048b8a3ba226431fc9795e6bedbb1477

SHA1
ff0d3bda5aa7d90eb58f8b3b951ba8e0ff6df825

SHA256
ec6408be51885c640f3d52b2f829c7f8d693b4c2e6a54144f14a0ef734145068

SHA512
dfd903722fe5dd58cf1437833135be2beb977fad1aee55840fa7ae40da5bc40be4b6e254bfed3313023cd5faaa4d68a8c0cdc5e85e512c37c44fe6b3f576171c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
7b227daace742b58b68b991022514d19

SHA1
c947c127b181f3c1925d0e51df91c9bc22ea5968

SHA256
afbdd85a0b2ca654b96ffbc6211d63e7b8f5f5579a90b236ce016172c89dedaa

SHA512
2d3976887a8c0a1dedc12138b0a348114a89a5f1bb1004b816143ca760cabd01bc09862f065c0ef48603d90867df09ae308d74ca6357c75d39474e2504b05865

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
f57cf3281a11d60ac88c64f55a9048d1

SHA1
ea7b194fa7db519ab5ccc9c905d358d7ccd39b7f

SHA256
11a498ae89bf25ce4f6686de421526ec57c57e2ec764496f163760279e4df602

SHA512
29ab0123f6b9fab8e0325f0e06104fa460dacd53cc9cfa342d6a8e606d9d7f091c93a0131f94cd553ad592479dc45a18e81e09706ca131fc28cacb281c577c2a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6575b7f7b855620414d60297de14eb98

SHA1
6cac9d4210f4d66e011bee28a3bd7b7bab3ad58c

SHA256
0bc7a381cd38a0b5e1c7ef52e013b5220e9c46ab23f5dc49b94f8122e812dfb1

SHA512
64c402dac08c4501849e7516884c7f72ba78026a4fe478ba7358a5685e7273791e8f2f0153ddb0ddb0674fc773589c9a16f743cf1ed0c3da9dc6793bf586f9cf

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
5d84a528f069cb7bb4de268c942c1b40

SHA1
7d26b2ceb2ecde99077c0abfe1468f2d6c75137c

SHA256
a100bdd9fca7b4110a9d694ee6bc2a50c72f3c120695537c85eca7db0b323242

SHA512
3747117e2d4b703ab500542882a3713586a29ca511a468cec16d7fa4e1f6b510bac00f1183380f59d34dfae7176a95a2db820f38bde2e0b027b9cb6ea739bcc1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
76d1023eeeb8d3bbdbd9ab2e02b9decb

SHA1
6450cf479dec3ab7182dbf74fa1964e67318fffb

SHA256
e0d509f8963f3cb50fda7fc9246a6e053c1191caddbafc0737155776ccc44701

SHA512
c604ea05c7b6383f349cd08c58f56781bf069a65f6481389a06eb22b0050e1d12825c60a606d7833b2357309eb704958aac0b288996f107d861dc71f1c4d9058

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
3b8d3a35700899dca51806a9163fd5ec

SHA1
4db812d733d8c02137d7a8deb9b824a4ab2739a0

SHA256
01a6c427ddc33ab90908295320318314e29ab1177ae2eded82911fb468c8cf69

SHA512
5967d3f4e5858e70239d44c767b51e35e938cec750eeda8c95c5eec6cf770419964e5c95a273fb7239ddea292feec74b66422fc03885e7eead77368579b10bec

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9b98f5147fc42b11df5f0fe2d14a48df

SHA1
7a4331b6398c042c081ce56e16320039956e8e2e

SHA256
663674f67ce8a0ecbe108ebd4eb595cc872b56496012e0037fcc04476d85a559

SHA512
276b8d726b899cf00db8c99a7c0c65df5d31800b39e1f6cec5f89415d559067804a0c4f366ed35f5ddd7bdc6b9e582f7a45386a040aab0b21dae2efc2c00411b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
908071fd100705aabdb3d81cca5a09b2

SHA1
43e0f6fa6c362e1cca5519b54f0128ba4b930fc1

SHA256
36dd17298a230174a0b4ed848fd8a88b0a3e6124b31abe2f725ae3d097e001ee

SHA512
bb63627d275206f2d54db147b002216d822f547d75e2a8e648650b75f1687d4b7a980d0738f0e3e56e873475ea9bfe1a1225c8e7dc5a35837b48441345ac0209

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
643910b19040ac12f0c3bac79c327811

SHA1
fedc4a8c3a683cf61df15dc176ebd3a0e34dfa03

SHA256
4c2a360fc69d3d7302f420ebceab546d19263e36cb7af7b94bf1e69153879d49

SHA512
6b9674f65c6d95268d5e38c1d80b595e5a7f6880f93f267c769447df0e1fe53155d7c15692e3f69eb9185e1ef5a90d00b874c27a41aa1217b7e3d92640d07d7e

Download Submit
memory/64-156-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/64-244-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/64-165-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/116-118-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/116-121-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/116-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/116-111-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/116-99-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1000-249-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1000-340-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1000-260-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1080-45-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1080-140-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1080-43-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1080-52-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1216-113-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1216-30-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1216-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1216-18-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1224-602-0x0000023436690000-0x00000234366A0000-memory.dmp

Filesize
64KB

Download
memory/1224-601-0x0000023436680000-0x0000023436690000-memory.dmp

Filesize
64KB

Download
memory/2236-258-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2236-169-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2284-194-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2284-275-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2284-184-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2320-245-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2320-225-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2320-325-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3436-80-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/3436-93-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/3436-59-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/3436-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3436-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3592-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3592-33-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3592-41-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3592-8-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3592-2-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4008-216-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4008-152-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4008-143-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4276-217-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4276-299-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4276-208-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4332-105-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4332-12-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4332-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4332-26-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4332-25-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4540-262-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4540-181-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4540-173-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4796-91-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4796-92-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4796-168-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-86-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4816-123-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4816-126-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4816-133-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4816-192-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5136-272-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/5136-264-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5136-353-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5176-369-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5176-377-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/5256-294-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5256-295-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/5256-285-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/5256-276-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5544-301-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5544-307-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/5544-571-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5728-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5728-335-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5840-343-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5840-349-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/6004-364-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/6004-356-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download