2e3a8187a03348172095612db1285f67f8aa90362f5dbf5078f90fb6283d3084

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
Size

5.5MB
MD5

af5188eded714398cf631bc366e23835
SHA1

5e1173116e48e3d503c83effe52a9d468522dccb
SHA256

2e3a8187a03348172095612db1285f67f8aa90362f5dbf5078f90fb6283d3084
SHA512

4b9a0c65f729aad866f8dfae163c2396ed09b23e6c9803ec9c04e39579881717591bd37c2afb6a6fe0bc2a50d0db2811b4d7498857d84ffdc78e78bf7dff0cf2
SSDEEP

49152:HEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf:TAI5pAdVJn9tbnR1VgBVm5qj2FAQL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4860	alg.exe
3552	DiagnosticsHub.StandardCollector.Service.exe
3372	fxssvc.exe
1860	elevation_service.exe
2356	elevation_service.exe
2676	maintenanceservice.exe
4044	msdtc.exe
4728	OSE.EXE
3644	PerceptionSimulationService.exe
1168	perfhost.exe
4500	locator.exe
5196	SensorDataService.exe
5372	snmptrap.exe
5572	spectrum.exe
5700	ssh-agent.exe
5896	TieringEngineService.exe
6012	AgentService.exe
6108	vds.exe
2312	vssvc.exe
5464	wbengine.exe
5592	WmiApSrv.exe
6048	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b7df4c2afc7bedf8.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d45ac7767996da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbdc6b777996da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9707d767996da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090ae59767996da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b346f2767996da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea34df767996da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfda8a777996da01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1668	chrome.exe
1668	chrome.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
3260	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
5328	chrome.exe
5328	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4216	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
Token: SeAuditPrivilege	3372	fxssvc.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeCreatePagefilePrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeCreatePagefilePrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeCreatePagefilePrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeCreatePagefilePrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeCreatePagefilePrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeCreatePagefilePrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeCreatePagefilePrivilege	1668	chrome.exe
Token: SeRestorePrivilege	5896	TieringEngineService.exe
Token: SeManageVolumePrivilege	5896	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	6012	AgentService.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeCreatePagefilePrivilege	1668	chrome.exe
Token: SeBackupPrivilege	2312	vssvc.exe
Token: SeRestorePrivilege	2312	vssvc.exe
Token: SeAuditPrivilege	2312	vssvc.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeCreatePagefilePrivilege	1668	chrome.exe
Token: SeBackupPrivilege	5464	wbengine.exe
Token: SeRestorePrivilege	5464	wbengine.exe
Token: SeSecurityPrivilege	5464	wbengine.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeCreatePagefilePrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeCreatePagefilePrivilege	1668	chrome.exe
Token: 33	6048	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6048	SearchIndexer.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeCreatePagefilePrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeCreatePagefilePrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
5064	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 3260	4216	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe	85
PID 4216 wrote to memory of 3260	4216	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe	85
PID 4216 wrote to memory of 1668	4216	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe	87
PID 4216 wrote to memory of 1668	4216	2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe	87
PID 1668 wrote to memory of 784	1668	chrome.exe	88
PID 1668 wrote to memory of 784	1668	chrome.exe	88
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 408	1668	chrome.exe	93
PID 1668 wrote to memory of 1748	1668	chrome.exe	94
PID 1668 wrote to memory of 1748	1668	chrome.exe	94
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95
PID 1668 wrote to memory of 5068	1668	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\Temp\2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-24_af5188eded714398cf631bc366e23835_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2dc,0x2e0,0x2ec,0x2e8,0x2f0,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8963cab58,0x7ff8963cab68,0x7ff8963cab78
    3⤵
    PID:784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1912,i,6416333078538416396,5714273060488652228,131072 /prefetch:2
    3⤵
    PID:408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1912,i,6416333078538416396,5714273060488652228,131072 /prefetch:8
    3⤵
    PID:1748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=1912,i,6416333078538416396,5714273060488652228,131072 /prefetch:8
    3⤵
    PID:5068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1912,i,6416333078538416396,5714273060488652228,131072 /prefetch:1
    3⤵
    PID:3828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1912,i,6416333078538416396,5714273060488652228,131072 /prefetch:1
    3⤵
    PID:3680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1912,i,6416333078538416396,5714273060488652228,131072 /prefetch:1
    3⤵
    PID:2148
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3608 --field-trial-handle=1912,i,6416333078538416396,5714273060488652228,131072 /prefetch:8
    3⤵
    PID:4676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 --field-trial-handle=1912,i,6416333078538416396,5714273060488652228,131072 /prefetch:8
    3⤵
    PID:1888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1912,i,6416333078538416396,5714273060488652228,131072 /prefetch:8
    3⤵
    PID:3052
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:1672
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff62e73ae48,0x7ff62e73ae58,0x7ff62e73ae68
      4⤵
      PID:4084
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5064
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff62e73ae48,0x7ff62e73ae58,0x7ff62e73ae68
        5⤵
        
        PID:4936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1912,i,6416333078538416396,5714273060488652228,131072 /prefetch:8
    3⤵
    PID:5300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1912,i,6416333078538416396,5714273060488652228,131072 /prefetch:8
    3⤵
    PID:5452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=740 --field-trial-handle=1912,i,6416333078538416396,5714273060488652228,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5328

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4860

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2984

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2356

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2676

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4044

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1168

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5196

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5372

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5572

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5724

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5896

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6012

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5464

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5592

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6048
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5968
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7b6f00413fe5c6e73e2c601b95a9d60b

SHA1
a3bdc8e78ecbb7017493e79ef673f809db3aff1b

SHA256
60fc1a88836dbd8c44b78bbbc21afef3a83614fec0e0e1f99376bc30f0d32fdf

SHA512
2ce18fda68af48cd6508871a6c14875679e419157b4f3bae77f3310a6c13d74b7360e33d6c031620f54aaf4dc058474939b15fde7596626b7f82d242feee152a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
23502cef5ce26ae7dfc0a219fcbc7862

SHA1
6de36f07ed062bb6f3b1130ad51888e130d5a815

SHA256
b016dfaa929d64482770ecd44c7cd33ad928b6f4547ac43170a3687585fda566

SHA512
b99b3c47703f7b45b4fe391790aa58944ac092068336e96c59739b76e24ce0b5f0d46c25d36e34efe7bef643c4f805fa860c4f536a48c38584f1effa56ede708

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
69f672b8b4671837da697e46d0721367

SHA1
a40d1385cccfd050a952f2e490a0bdf43cf90742

SHA256
a978319ca28840c0619d0f754c0d46dca87663065259de83fac8ec6e4102f0fa

SHA512
ab97e35cec9eec3fac96aa7cfbcf5f8a833eebfd5f7668ba8d1210efc8fbf2e89af8284806f3c063f57b465016b39314ece96083e03a6ae55106383f40c6940c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
39656dfa3573a2346fdb9c493ba9f705

SHA1
acf6adb5549dba7fd980878924674a7a212d803a

SHA256
cce04797ac8751cc62b3bedce147d88bb7c31ef35c78eafb221a14baf59bcb98

SHA512
09291a1c666a50c67f8591b893c1a2adf03e10cf35b77008a91dcbe2a57e421ad3cb5410f595042760002fe00665dd5bc97651fcaa90d7337580b1408e387ba8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
03db010115ede3b98cefc00fd42a0a98

SHA1
aa47cc548500e1ec0c4af77689bcf0091918aa06

SHA256
0d6b438a209e2dad7b10c5c5f1482623f4b5ac6de9d324dd40b8b812a9a8b073

SHA512
7d457e558dc7fa8ad8488310047f5b63c0c8140f24c589cb98f32c62fc2f9fe8fba543d6d9f9dd35d6e3eb7d7f604d37490d7df89c1fa48a975ae70bfd59d630

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
98a704189114b1c94f039c5ae370bc6e

SHA1
e09dc8bfbaf77c7f158d15340e1e595fef528f03

SHA256
3e996cec826a272d68324a5e5099f0f097b50ecad39e6545418432a790cc90b6

SHA512
a300abf10be0d97453543971fce93b395625494fd575bc93f2f2496c3d10a3e139198368479dd955f4b2e77585b575a876546841f0c05faf1a970101350ff87d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
a0f1f7b4e460232529cd70b554b18b93

SHA1
f9cbff810276da0ffbf04ec5ae0594487441d008

SHA256
555b2a66179f474393591777179c0b92dc03999ce49b12bea0b4dcebbbed8e62

SHA512
fd99ad3ca86160ea1d0c9a7e978dcd76d5661959a91f4f3ddbe7527fe65c928a4c428799845371f6f39dbd3f7f4d83992656f9da11cdc49774ae59cdc7e2fc98

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bb03823040ae3af0dc4fb5bfdf800d56

SHA1
e4ec6693cfec5f89c23ea30aeb40b04734777450

SHA256
88e740d78996e02c6d533442039a7ad6f43d6e936fb862a95db8d86712fb4ab8

SHA512
4cafa9c7768d980de8aab6bf3f3b3b0a926c923d990dc4e099c0f46609cf9e270ccae15100b4b9ae7c298e183c414de48c6041bac9b8e830a35d21959ac647c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
1239679edbeda24cebc84bf816dcf11c

SHA1
5914e6f52242ddd974716af889aa73ba4049a6e3

SHA256
065f58cdd3b11e84a3df20f23ef9bf32bd82519e8cab30407e531b9cb38991fb

SHA512
484a25464dcdf6e0e9031b70497b5e50f9941883b5afd39aae1ec1c59c699d5a132ac1efc3c63d053b2e3e63e8b32114a24cb2917b1c159182bf384dddfdc465

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
65119bb14862b3174bf12281cd8556e8

SHA1
01a2ad881949676aa2299b789ea1665aba244fa1

SHA256
15ab58e394b21a43457f63cfa5447d68933f4e7a4a10aab6442e50bc3e3fba78

SHA512
4f934a6de19214e6d916563e8055b2cd8df5f75f59cfeed983e3ce3dba3a4c02e63e3bd36a10748eb92746d3fe060b70a55be4f29a4bdb96fe536414095422d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
67701289ed4872352081bbb26cbea225

SHA1
27abc70ab31e2309d1e61ae853a0cc3d0d5eaac5

SHA256
9d7bfd1548cab55afc6ec9fd337af6b786f993c0bfefd989090237744025b5ed

SHA512
7faf601113ef7984fc852395d8b51e2405196ed10d751608f7c1e2f763351a961eb27dd28f061116a0814ecd5aea29c9899f98b5596b7752611c9499f790098a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
000dd405d238d659079da04cfcdcf4be

SHA1
ea4df03cad69e78e374773bebc8e7dbcdc011131

SHA256
fa1846327a53c2cc824a39f75e50ec0831aa42249fb77ea8e2d996a42d8b480d

SHA512
4ef44881f1db48218be743003f097f83b0431f340945f3eda81bf1e4f1eefd03a2236f444ea29f073edddb1bc49cce9232b14ef361e1651583a5048149492b65

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
0a1ce1139ed270986ffbe25a9e2f09ac

SHA1
2e2f0102c43e48c4ff56b276abec8e320f80fe49

SHA256
3dfc3318193458a651d43f5b7a4a4e14edaf2468749cee06eab62828650cc717

SHA512
54f8730af711a266af6b526376ffae468176da86ef805814534c884ca626d3fd0d1ed3e6a4c808b055b4f85716f1d5ab77f4e29fd1b7678bce34e012ebf177de

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
fe0bf559caa4ceaf5864b2a191f0c119

SHA1
651b9a74721d93632d64a550231f8a678cf8d4ed

SHA256
c640c2cbf2b42f46658e64ae55c161deaea97f9c76654c2c7ab0bcc171943365

SHA512
69c2b9b9a7d875e297be8b44a0fcadc33563cecb8f344f15d5ee26aaf9bb260ebd1451b16673be4ea3fcf6087416c804fe04128455bf3a5c2abd202bf47c047e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
73c9e98fdc4346038de1a1829a7751d9

SHA1
197609ecc9f74d68c654ffdb6b1c8356fa72491f

SHA256
2d1b089c7de14aefa9d7ca237febddd2da1bb150414c5a5242a50a58d897d4ef

SHA512
799282b8c5f57a2ee3a18ff2a1a10c5e889977a26787fadfcd5a9435d06e4580cf4cfd8d3f21a770b2eea75f6246b78537deb61e6c567f24eaeb7e295e8de144

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
db6f275c4beb712aa408d338d7f46ead

SHA1
9c3ae9af2ace26b0d274f3774d68c302db5ec36f

SHA256
ec71ef03799f08e1f4d31722602afeac71f00c9683042017d399428b541e772b

SHA512
628beebadf03c20ae0ae384936e52f46e7db139d31f667324577f2b6b72b8b963f13f0b8276724733898a53dc3783d653e4bc92a9e7fa2cb58d60fd8706cc558

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
25ed68c3051e74936ad1a49dd4bec68f

SHA1
e93546ec3e464551f9cba46cdebceaa0b4edfc28

SHA256
d587b48a5f24aade6860213db75c7dc7bf768dff8615f837df5a73b420f7a8cf

SHA512
f6c5e15ce15efd0d90409651709b749f751810ec8d4ad73c06831ab83bd5e4ee0720548e36157a3feb4e29008deb1bcc4eea716c9ec84c3a80b5dad9848b2740

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4aa1240305a8588a9d74cdf980244ee4

SHA1
93bf23f7b8427b65ead0afbf23bc259f7ab1db37

SHA256
83cc9d0bc966068e71ad96f42533367c5b057081d8aa461f2db4a64cab03e7fc

SHA512
e5ec5929589566eef1ad56173c1c80721bd41f19606db91c428365ba69c1aed6e80d4c7f05ba4961fa969f88851d45a1c12fc6a6030cfd8db800ae4a962813a4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
876984c0ff142374867e694df5011277

SHA1
a52a0a479918fc74756f6f2014bb5958cedebd6f

SHA256
cd778fe1bdb38e4e8a077f0c365d190f51dbf267957d513127ca3458e33b64db

SHA512
ed3554a7ac166fc250f6c216c31c55a44f3f7f706b3c45d4b036a08375599c025052e8376b239142d2eb76c0940b2a71d674bb60dcb51d3352f34e6d396038f0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6a5d03b7294d9d47001b5262802706a6

SHA1
618d9c808638aef5ae7c591ebfffb01facc3c934

SHA256
81b83c7e2033688e62341985bf0822d16aa07832e438a75856e3cc2b660a3594

SHA512
9b03b1af6922bbe29022ce251e9094524f4738b9cd42c6f6bc195dfd14ec8d12ecc1f675fb865fa34959712e098988b9f16700a857acfb03726302d9f84b06dd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
c4faaefb95d4522733dcde43507a2caa

SHA1
1caa18fc8381ce32e985b73ce41ef3dba3ab801a

SHA256
c4fe0d624028bb88d87dae356146352c4799fa4ad81b39bf2375ba9fbdba18fd

SHA512
23085a157e533a4b8a951415e8146c9ee1c240e5b873fa5701ec09aee51f335e3d7806bb1090aa64351fc0f6351eb66337ec5d62e0842d17a5201eb5bc366cf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
27cdacb86a5c84a5f3d210ffba0e0e34

SHA1
edb95dbbaa7fbf207dd5efb34891af7312ade18b

SHA256
99179c316d10dbec3135c1d6a5c890c342ffffff6f2b368ffb76b9d38f9d2d4f

SHA512
9d83e6100b7a261b02d0442c2c68235f51b0b66f8badb3c04556970f33011236792dfcb708aacc737c8b8cd6a48b43277bf84ad327ac15ff124a552e5af90b3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
88f9ef994f058b97a36408838762cd9b

SHA1
62ca4c5b3a4df925feeb5555d16c26549114a5b8

SHA256
d8134a69fde209e274b7dcc1c355ebfd04cdf0da4a3a08cf2ceda5b1170a4564

SHA512
d18c9461a2dc6e8301d116757ca0fb1aca1334c70d67e630a05eb082397cc4bb6d2d4e3ea2724b9359e4b0241caa7e9af8965a9273d1f5b32eb2c1b4f9d20c59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f6465b469840fc4271ccbcfdcf5c7bc3

SHA1
8991e2b536a7eed399cdb212f9b7f75fc105a5b0

SHA256
5398d3b9f1c11b90d56539611ae36b8af6c7b8d0b011663d5e17b081d6c0cee0

SHA512
dd52c202441f68524e475c605ff9ddcdaf756669935370b7b69a8f13a5224f97a29230ba0df63447983870b0406a08c1552abbbcd02f41ac8d1686f9ad4d6b27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2fc2d8900252c0f3a797419a6494e485

SHA1
65482f8bc75df35f7dcdf49349b8c86ffa8009d3

SHA256
5e445fc8fae49d7b1636efbc714ca520060fd63a9f8f89b3ea5cc5538646f629

SHA512
5e66c3d13d61d77362778cbace43a6a30884e45048cc14da14d4455993c5fae4c32b43ede3622b87568ae9367054cd1859dc2709ebee41b43bb1d08f9f952ebe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578117.TMP

Filesize
2KB

MD5
3f83eec20ea3491da5eff4ecd04a269a

SHA1
2bd6a1dba95902229d1ac874636ba43303ceb376

SHA256
458e9ff8954923b8a5788a6fc41f46f57097da4985fdfc96cc5a69d5eaf5cf6c

SHA512
662df191e193fc7c8602695472f8ac3b9298636386104dae8b118e562701b6e652ff5fac488d56a36a4dedcfb1fd46454b17212a5934150766f9e2a41e5c637a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
c46da0ae122b6caf843c91ffecb7dc4f

SHA1
12cb30e85bbd1ec2db3aeaf6a960fb5685939cf5

SHA256
91ba8632f2d33ede504f94b976c5371e8c13aa96a40d41b7508593abf35d2059

SHA512
6267411d9086ca2bde659ee8430c4ec1a5bacea16f13e579d8c1a394373c68e78643a72bdf3cf0507f940d98669a5e77f448336a44e3ff3c4e7ec5f338cf9488

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
5d1c7709660c11884b4148fa5a8032eb

SHA1
06fd5ffa11e2b2d28699d76871b591585af3c39f

SHA256
c8dd86fbc441296a8bf21b4e4f165e25bc99565c34725265496ca3d5225f7edb

SHA512
3b6d4176cf0d9df12aaf08373d655697c2683c8637bef3929e662e585814e6eed1ede2cf5835868eab332ac787fe9127627bd18bb83ef3a64cd8d3da27f68dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
bdfaa5607de33919addcd64b5f0f93ed

SHA1
2cf85e304ab7da40739bbd6a3454cea82245c809

SHA256
746f2abcaae4724776005329703254ccbc5789f80557c1fc5c4eb19aa96c2eb0

SHA512
238c7fc8aad5a8f084e4dd924fb72c3c6a73af45757b5660915ae5aaec8b202ebff3269b55769cfddfaa58b5fd92b099ae01f006ef24c77c69d96525f7e18279

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
825cb8dc8ab7d02817605c03687b8690

SHA1
5d691ed4ea1a3e9a1a6e23d8fa17088db7eba66a

SHA256
e268ce837d6165f17980633e80d6c54ca31a0d7bc5b9e00580cfc619e19a20f1

SHA512
7258b65fcb054cbcc8973994804b85eb095279afef865ade184b4c6618ca9595b955eed23f6d48d62ce0d0c4637da49f02af174fc0a3b7a37f5f275ecec8a7fc

Download Submit
C:\Users\Admin\AppData\Roaming\b7df4c2afc7bedf8.bin

Filesize
12KB

MD5
4f55e0277158dd999d5a54fdc96d7d31

SHA1
55e7028e0064e714d51c4c96be9953c45e93603f

SHA256
42cf823d82764fbb65a74d1b216cf4d27dd6424e220a91849d576f10b977161e

SHA512
412d1023b45d7aa1ddf583c60af809d32644b0828168f58217080271d0cc6d5e1730693d635fe3a7ce4c43b5eaeecbf9c027c2d8d7ce312e141ac81aef721e03

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
788df214c9cef70730bce69ec0071b16

SHA1
2e87e8b76f826e09dd3ce39975615eff38df496d

SHA256
309e75dc7f43541cd5e6090fd1f62f2ea9d8c60a093e2f978a3aeb49c05c2847

SHA512
6db40382af9b6631775afe62566a441c560ecc6ff5e7416f1f86980fcad322336096e4391ddbf98f701274a9f5400bed00efeb746af15d751590b22d357d1e82

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
940879128c27ca39f4d2e4fbd61bb23b

SHA1
b1611a76a0805c4382d137501c64c820b31a4d88

SHA256
a1ea2494f7894d4a745ca210a5d85a041c6dabb8aee6481ca7365579a2cf8628

SHA512
9c3ed855ea391996400d9f1b62da5abe539df183bc390657c06f01777fe7279b0580aaaa2cca52c6ad7d64809b2353de952e988300c9f4dfecf6deecce97806b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
5d3f7482e93f55358b79d08c043f6f6c

SHA1
875356aa1f5ad48dc5277d4eb6c1a223b35ed725

SHA256
2ea289d8553e63c9783896004864a475ac21154aba951ac07d24e7af1f50f3ee

SHA512
fee40e5a7d745b23b8bba24c6c3c76685f3e03921fd4f9fef6617e8d8a142bd44436855317674efe3dd6d653cfe5cbc310bbd19da609e8da866c728987abbac3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4d1cb4d2bdca218f7c0789d6f49faec4

SHA1
bc1cead0fdcb9da4a9441261f3b88cc6101b0068

SHA256
8bcb75fb2c74b89805960194fb4228e8e7499c4d63e5867cdb863201f802cca2

SHA512
2ad6943bf0378951c9c3b61689ba5dbc670dadb787105581833e7d63525010733e0c7ed0fe03e54463307eb5100758c8a401e6755f9337629a3cb068ee1a326f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0e9a8fbfbba9a087a5c91ca996428121

SHA1
8d8f3d34c12d06b24929b5490d4680a943c98e44

SHA256
6ab0e3ac5aceb7be5633bf2fff9605fdf653498f5e8ae462aa89ba5b687bcbdf

SHA512
50013d34d65112dccf2a0c15e21e931eec6ed4d86670edd63bc90e55a9ccb40e821e0b44b6b4856e8af6310316fa2725e263b4cd9df39fdcd2c014294eeca0eb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
a20f268eeb89a3d38637d33518dfae47

SHA1
8a9a12ed64143e07f5f1f3caa88dda4a1449b730

SHA256
526aff7cc7737517b96705571a74fd098728176ca9636764134b109b1804770a

SHA512
88912d90fe3374f2dd19f3ef642329fb4b0fd7cbb66763876ad4c36bb6c0b1f6cbbbc113f53bc969288bd040e0149efeb3abff401497a4b8b2e43abf4ef1955b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
20749ec47ec13f382d23ee20f4e89fd3

SHA1
b5ea506fefaf9ea0bd05880f17424e624a7015f1

SHA256
2eb40004e6a84f8f86ec5ebc84abb8bce9c3e16715e9028b523be5c8201ef761

SHA512
b2ae91449133ae833a6d70123622e11141c7ecf34fb98681c37537bd08e106f841593da3e278fc05b489d4ea3a314b93f1a6d0d2f31b9ef0d27ace3ca44122c2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
59fd8d49cc0ae0b50250236df820b7f0

SHA1
85a2844a008c002d9da1ff9d0aa58e0a4ee27de5

SHA256
7c0b0e88c72368dca3a6b4d40372b802814ebc75e73c1e8c0224e349dbdf0516

SHA512
6d98014bfab042dd15955e952e69e685bced6b553f505bb1c1493b243f167f6c9c744b005838467364cd237f4368fe3bcd39db4f03270fd8642c5c31a7fa5f3a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
802d9c15b6d37d73677d23bd28f20000

SHA1
3965f3e9f7bdf9be685efce808c961d81485041a

SHA256
27629ddb7a97eeef57fc23d9ed5e15d2497bcd83c418f2ca044ab11135a92668

SHA512
c2b3f730691da2ab7f079dbf49e3df98bf5ec3b329d2e2a30462e3402d3971fd473662fb58820ed6c48d37c9c1aafc08388841e01fd1eb42de8f6ec5cb0793e7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
557c42c613754f5f121a79407e28cf63

SHA1
fbd22df43445b08d1185454e8b42dcb36e1d4415

SHA256
33be754e8046a8668b56106b83dc6c37da91b25be6eb3c57177fca18dc8dc9aa

SHA512
b76a1bc87767950dffe58427b995cfa3d7af79f5f8e818648aa587cfc636f3d85cf14c729b44cd40f9a25928d87043e6ed7db799912777975ac41626c06c46e0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
845eb4498a1900f9747b60abc682802f

SHA1
58875a0b7b29a93c1d75eb619233d36037916f65

SHA256
8a95b85413f1e9bbea04703a5583cbfe9dfe946ece5f7cf8343bfb9d3361ab86

SHA512
ec16fda124be1901fe3c618cc314046934c2d6949cb082a77f5812942324d62bda64e29f359f2993fc85f32ab235489e311cdf5110bed8a4f4da30d0a1b81f20

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e29dd1d0590cc54c518e3d8f0d8f67ba

SHA1
800a278bc3111f7928b471d162e33ea0821ab3ba

SHA256
3f7ca6c0beee2beba18ebc54ea6e6367ac7b78f3d4d6bb2de90ca900eb6de5f7

SHA512
b2428e8b8e985189457f9eb61073e385b1f22738c2f8bf9caab0d74ab5ae99200206d6f939059740632cc03ec526d2d2ae073e703bcfcc0e0630fbfd88237c51

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
47d059302f23445fe0a5228c1c1d4eb1

SHA1
3a6cf17313dca2b4204a96fca5f63534ac478b69

SHA256
f37b8b5f67d44f98fea6f58444749b718074dd64fa6630e3551703508adf3fd2

SHA512
c0d5cb8ac1af6d6ff05e407b502adf964ce645a60a645837bd4eed8135ce23e19c21d2b83d2a425e3966178818a0bb2920841dfc3e97810769c64ab70b4a2fb2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
f2c790b6ad1160ae580d6226f08ee964

SHA1
0cf4a8fd8b1632c5a3e70e377f90b3ea4902dd37

SHA256
0bf4c725145578e84e16e94ef785887b20bf184d7bda62cf542f218fcc4c05bd

SHA512
3541b0d895f4305165a95138dbeccd74076ec83b60f6e91fed4125174e134741dfa335f65c732812c7a3190c9ac9f5155e86ed56374326d52a600264bfa417f4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
fd6328aa597046dc559f3e6fa2f7e140

SHA1
cfad6a5d8606383ab36702fdf21ba2185fb240a1

SHA256
b19c88cc285aac6a837548de791089863295391ebd6f0b4fc382d36eb6ffed7c

SHA512
4957c0159d1874fc119da1388df7cf88debde6d77675061e801d8c81312bd0bc581cd76eb2e9ed84a17225a2fbbf9c881dae5b4ec010db9f8f73dda700cc5176

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
47d2528abeb0dfbdaff5d0fe5e5dd3e8

SHA1
caea621b1001f17752f552fc3454fc50a40d5ec2

SHA256
5d31e62e007a5fb8a0d3fafaadb9e5b0f4a75021f5315702394ab38cc1c23081

SHA512
dbf97c4d5aa17f07a17882f412991e4d8b8f621aab9fb8c0416603a826f7c3faa6485b01834404babae0ef0645b0c4dcbd9d7b491505bfa6e6ae70ad9d8119e1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e3a54671ac0a0b95362b3876a9917990

SHA1
5fa540204d8be4d112c6d17226d3f0ba70065fab

SHA256
649af9e6d2b6b182092778cb6799c88047e1384bd5f4fb1415b95ccd54aa4ada

SHA512
6e9139e6b2cea128189619822712f17f707a61d07964cccc8a45ce31c48c123c0d5ac4b144caf399eac7753e758a567f0bd1f67c42349d240d2ca85ee837f0b8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a42c15239aedd844c9afa65e324f7b9e

SHA1
8fcc599b3c1aa1e171a3fe5658ae9eeac568c513

SHA256
6446139fc952590a78f94c52179111afa34912a2cfbc9fcbd78a709a75ac8c35

SHA512
ba4b9dada8905f06f2f6da71c35924b2e9495fdb441d9b3cbef6d006b6088e568c723b22809d7a7b1fb072aae87add37e3f1ecb223077d684df73792a238630b

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
b2017bc1ad588db6593742f6028f2b8b

SHA1
b78a7d3575326f7d3c3b9d0e588cf171576fb803

SHA256
30cf58ccfca0689267931d90c8e331aee3754f9c101476d0ecfb9f87e1ef6af3

SHA512
66af70621d5765a0249f61f175113d36649c4ee50a1a97a88af67bc335d22ec9a7141cb580314b448439f6ddd37577c894403ed5de32f2b9bcf81c5e0f24f270

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
13946a74e5d765f1520b749f1618dde9

SHA1
6be1e5ba6b1d0591038aaca60248b11dcebf1557

SHA256
c2b30f55468ac51c31cc30ced10954de7e99ea633354d40623fc6bdc441cc4c1

SHA512
a8aa2207106f59ff61561a47378c71c4fc625ce379a044b2931781038a8bcf197ad426b197001a69f8eb07391f419abe917d53e7b483b6262595018321bc6b13

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
9dc0ace0a921e89fafc27660460fd28b

SHA1
896850f9c672e04a02359d9019eb701f83687973

SHA256
db1b5f4aacf7c8cb20034a61e48781e89f7c79c7ae4f932d4acc0e2dacb3442f

SHA512
17dec17f4607427cb1116ab324b55adb921d54cbbfd40b400b909e84e8be642211ed536f88b00a3768ce653e0362629d2fea0236a5aa315c008128878cb360a3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
2fe35be5bb25af148997484b58ffe8dd

SHA1
5e2f034aa33f3b112a572b74baa337d031318f91

SHA256
9fc5cbbbd4217159fecc622d6f7fd68dbce70e94448d951e6784f25146881a8f

SHA512
e0691bab82d67fbe9ecd9a0b7e9abf879f5493061536c7f8696c5851906703f28f8699a8338970894a58ca033566dc34ca010d7c26489dcf0b23360099b805f4

Download Submit
memory/1168-199-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1168-281-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1860-70-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1860-104-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1860-108-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1860-93-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1860-71-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2312-338-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2312-333-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2356-198-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2356-101-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2356-98-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2356-111-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2676-140-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/2676-139-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2676-124-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/2676-116-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/2676-117-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3260-24-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3260-99-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3260-12-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3260-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3372-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3372-55-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3372-69-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3372-65-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3372-63-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3552-142-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3552-51-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3552-45-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3552-44-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3644-193-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3644-267-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3644-186-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/4044-143-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4044-234-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4044-165-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4216-36-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4216-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4216-32-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4216-0-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4216-8-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4500-202-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4500-287-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4500-213-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4728-181-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4728-170-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4728-254-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4860-30-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4860-113-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4860-21-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4860-18-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5196-236-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/5196-223-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5196-300-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5372-247-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/5372-314-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/5372-256-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/5464-349-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5464-354-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5572-330-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5572-259-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5572-268-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5592-363-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/5592-367-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5700-347-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/5700-273-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/5700-282-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5896-296-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5896-289-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/5896-360-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/6012-302-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6012-308-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/6012-317-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/6012-315-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6048-396-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/6048-389-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6108-316-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6108-325-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/6108-591-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download