cf928e48ec27e41297c68041b981ad8dcf74c6df958acb9cdce6c2aa6a58c2d6

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
Size

5.5MB
MD5

62835cc51ca71e1b689f81a3c97c522b
SHA1

3a60393781d86934dad0eb8246320d28a36081b6
SHA256

cf928e48ec27e41297c68041b981ad8dcf74c6df958acb9cdce6c2aa6a58c2d6
SHA512

d71b810fd04295429ffdd0123191b7080b581c1b382c406a83a94a76b091ce39323c0098dac55dc60b24d9ce1059ca8768da9c0e2ccbacaf27fcb854ee3c4364
SSDEEP

49152:CEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGfl:IAI5pAdV9n9tbnR1VgBVmWC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4900	alg.exe
5056	DiagnosticsHub.StandardCollector.Service.exe
4016	fxssvc.exe
2472	elevation_service.exe
1492	elevation_service.exe
5000	maintenanceservice.exe
4164	msdtc.exe
664	OSE.EXE
1368	PerceptionSimulationService.exe
4104	perfhost.exe
4332	locator.exe
4680	SensorDataService.exe
1504	snmptrap.exe
2176	spectrum.exe
3380	ssh-agent.exe
1376	TieringEngineService.exe
3920	AgentService.exe
5276	vds.exe
5392	vssvc.exe
5520	wbengine.exe
5640	WmiApSrv.exe
5736	SearchIndexer.exe
3740	chrmstp.exe
5432	chrmstp.exe
5776	chrmstp.exe
5896	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a63b0ac3136770.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf56ca4e33b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009869454833b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046fdb34f33b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acf2e64e33b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e22ee24e33b0da01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
4544	chrome.exe
4544	chrome.exe
4632	chrome.exe
4632	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	436	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
Token: SeTakeOwnershipPrivilege	2180	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
Token: SeAuditPrivilege	4016	fxssvc.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeRestorePrivilege	1376	TieringEngineService.exe
Token: SeManageVolumePrivilege	1376	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3920	AgentService.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeBackupPrivilege	5392	vssvc.exe
Token: SeRestorePrivilege	5392	vssvc.exe
Token: SeAuditPrivilege	5392	vssvc.exe
Token: SeBackupPrivilege	5520	wbengine.exe
Token: SeRestorePrivilege	5520	wbengine.exe
Token: SeSecurityPrivilege	5520	wbengine.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: 33	5736	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5736	SearchIndexer.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
5776	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 2180	436	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe	82
PID 436 wrote to memory of 2180	436	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe	82
PID 436 wrote to memory of 4544	436	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe	83
PID 436 wrote to memory of 4544	436	2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe	83
PID 4544 wrote to memory of 1552	4544	chrome.exe	85
PID 4544 wrote to memory of 1552	4544	chrome.exe	85
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 1716	4544	chrome.exe	95
PID 4544 wrote to memory of 3160	4544	chrome.exe	96
PID 4544 wrote to memory of 3160	4544	chrome.exe	96
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97
PID 4544 wrote to memory of 4376	4544	chrome.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436
- C:\Users\Admin\AppData\Local\Temp\2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-27_62835cc51ca71e1b689f81a3c97c522b_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb9238ab58,0x7ffb9238ab68,0x7ffb9238ab78
    3⤵
    PID:1552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1920,i,14202103392539224465,6884016897698629239,131072 /prefetch:2
    3⤵
    PID:1716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1920,i,14202103392539224465,6884016897698629239,131072 /prefetch:8
    3⤵
    PID:3160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2112 --field-trial-handle=1920,i,14202103392539224465,6884016897698629239,131072 /prefetch:8
    3⤵
    PID:4376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1920,i,14202103392539224465,6884016897698629239,131072 /prefetch:1
    3⤵
    PID:1844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1920,i,14202103392539224465,6884016897698629239,131072 /prefetch:1
    3⤵
    PID:3972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4120 --field-trial-handle=1920,i,14202103392539224465,6884016897698629239,131072 /prefetch:1
    3⤵
    PID:2440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3828 --field-trial-handle=1920,i,14202103392539224465,6884016897698629239,131072 /prefetch:8
    3⤵
    PID:3660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4304 --field-trial-handle=1920,i,14202103392539224465,6884016897698629239,131072 /prefetch:8
    3⤵
    PID:4496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4316 --field-trial-handle=1920,i,14202103392539224465,6884016897698629239,131072 /prefetch:8
    3⤵
    PID:3396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4284 --field-trial-handle=1920,i,14202103392539224465,6884016897698629239,131072 /prefetch:8
    3⤵
    PID:5072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4952 --field-trial-handle=1920,i,14202103392539224465,6884016897698629239,131072 /prefetch:8
    3⤵
    PID:6088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 --field-trial-handle=1920,i,14202103392539224465,6884016897698629239,131072 /prefetch:8
    3⤵
    PID:6128
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:3740
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5432
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5776
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1920,i,14202103392539224465,6884016897698629239,131072 /prefetch:8
    3⤵
    PID:5840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1920,i,14202103392539224465,6884016897698629239,131072 /prefetch:8
    3⤵
    PID:3116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4296 --field-trial-handle=1920,i,14202103392539224465,6884016897698629239,131072 /prefetch:8
    3⤵
    PID:6232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 --field-trial-handle=1920,i,14202103392539224465,6884016897698629239,131072 /prefetch:8
    3⤵
    PID:2360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1920,i,14202103392539224465,6884016897698629239,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4632

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4900

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4344

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1492

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4164

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:664

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4680

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1504

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2176

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:764

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5392

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5520

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5640

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5736
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5756
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
624f937934025d044cf175e7f543146a

SHA1
8c671fa1aad33d3ccf7fceb3085a62041a30b30c

SHA256
a9c84deff25f14ebbddb2af4428f0827c53527e1661602eda624e402b636fb5d

SHA512
11d99c1444205f8febbd1d1823bc9bff67f21e264f54f228bda5233db79b11ee9cf7334e0e0e20851662eb154ce106481e6b23a7e1fa0b3045ce2fa27f016c71

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b2ad497592dbd0aa5b7958ed18f4d89b

SHA1
58a65eb2b6ecf0c0a8417ff9ce9205e85e5c23c4

SHA256
e8268a58db5f0c415b1240dacbdf7532343dcab77fa930c40d278f7f7ad393d3

SHA512
cf7a56670c650f94c5ba258b40130e466fed00de4bd1d36b1ea93ff226df285962cc46e82ca2b6ab91ef16768f9d232d092a473d76607701fe11eab41b36b0dc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4e58340060cabd9798f90ca4395c6269

SHA1
834498d9a41bcadc4f4f97ccf57a7406fabdd3bf

SHA256
fdf80c2fd604e01e75f82154e29d71f748e2e84d6d34b9eb7115ddcfd74a9bfd

SHA512
7c8e845175dfbd1fa0460cca9246b34976cc115432d3a1bf262212721a982606f5e867adc32bcdaea5cb1a9366a29d89a9abc5d51fc5f3215e9c0f0194a31b62

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4c06484f72973b310e28138d2000ba5c

SHA1
71dcff96d091179b7b943d4e135b525e0a2aa69a

SHA256
24b6b31fcdd9b159d543b294cb142eefa537a280c944a2a31cd88612065e1d06

SHA512
e3fa0b5079d24988347d55b80f53cc63be8158453991fbe4c5a6e1315a0b2894e23626f289aa0889db5c9e28696d60087328d4a99186f148bdcb27c50a7a1de3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ce846034dbeb8a07dbd5b916a2332216

SHA1
dec1db2703e1d830456eb74ccad885ab2f67ebc8

SHA256
7c1226120a6be197f06952a43131ef7f69c423a8563af25b558a247ed7eb4dbd

SHA512
f5e54c2a3aa14702eff04a3ce5b18d3cbf62a1559bf42e611ae4a3b574b82f06df11e8c924e6769ee97e0821b3659d52f3c531101b04e470a58b13546efceef2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6867b4d0ad02a6bfd1e3e5098dc1bb32

SHA1
836dd945b6638451f2bb345924c52d048cd30b08

SHA256
9c7b06b06b7b6000cf3136657ac44ea09bf16de440edaf3102e7e50df9619eaf

SHA512
3368c05f6741b8b1f09101e3b69d0691cdc37ba8cd8040a360a4ab8fa4acc9ec85a81792f49caf0250ce13e4ecac1afea40bdbe4e66fb225cad499d01407f51c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9ae1a0902e6e14a95b65e6de1ebb121a

SHA1
aa29fb3da4267000b39c6a20f7cb64254e452f68

SHA256
3643b2dd1e15686604fdab5089dbdc9606497ccdcef64c01fd6f802212df8456

SHA512
88ef5507f7af1b982cea0af834bab95b092085f72b7f99f30e76e05873bc6d813ac5c7d42e54f23f1cd29cbe03e0500d9734a2aaac754659f8635f08c2d69fda

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
14cb153522bca9b53f1d5832a5c1d90a

SHA1
25b3877f7e532543d978ee8871106bfd24913a6d

SHA256
cc821aa9da976d1dec61cc90d1703ab6f30468a420cc8dc6f1b061bcc0a02bba

SHA512
ed03beb3b9ee6d4b7a6e9d30e28dca6b517a4bdb00fe7c1653688d20c7390b6be7ccb021e256d8eb8880e3f6e7e10fd10ac35e8472c47e540188a850833b179a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
35507ca9a93014cfacb17ef368aab09a

SHA1
fface5bb077e0e6508aa2fa4ac17122d5c801937

SHA256
d4faf1689554245c65933ae7d960134bee2183b2f86cd3a4c0e108e02caa1b3a

SHA512
8a8aaffbd5a85b253146919429afe1c7c2e489093c369a95b1dead6efff1f82adddb5829beaa0420a26ac47afa037fd3bc420dc9c53460c385d3e54ba9822120

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
bcfa7aec08107fe8bc12caef6ff66627

SHA1
6dda780b77594985f53e2e997096d506a19cdc9e

SHA256
c993beecd4103394df6ad935aac2a6c0a004afc5ee3f48b2bf991a1976049b55

SHA512
7e9b0d3b95950163b3fc32095dc823f6afd6098d35f3de5db669371e3c123d5728a0e2fce68ef4c8dfa2d66f362024c4d8c8baebb9aded5e49d06f9f2f54769f

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\ff63bca6-4aec-45e2-807d-4ea52cfc2f6c.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
eeaea4cb8a0fec917112b1521a5c0e31

SHA1
c6e6fc001c5740fda630f546edb316d34f46c68a

SHA256
ada0bad560326d3970d9a74e2033fdcd95f3097f422edae2ebd076d81f28f75e

SHA512
cf6d09fefb121b842de08603f4d8f5c778f5fd4b7a1bb875e4ce833b04e7b5676012de5da5aac4f02e2ef36239763284daf2da9c8259b9a59d9c1d1b3962afba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2525a11df838ef1496877bfc53834eed

SHA1
94e34ed043aa58790fe9605a7119a6416eb47042

SHA256
7c3689a2d3e929433dec01d85cdf755d20f9f652b6c50085bea39c8d95388eea

SHA512
ecd4bce13e0e137b7caa7e740726a054ed036dd53630428e1d3076bea8356d793d49e3e8febf311f06ea624592b8cc98876f3b6e4ec23b11a8f9a4ce1261f9ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
fd61066e4cad1ae79e6f73d286d1d989

SHA1
f56c4033a78e2d9f22fa2b74d90995f6bf039f00

SHA256
215aa4fbd2c4f68503e0f011b87367fe10a651e0da58883ce6bcc425fbedd2ab

SHA512
cf71ced4af75cec51810e739be57051579e00beaedd3bf4737ba147e91f877640df4fee49f95aefae71dd6dee8048ce926bf5b8c835505b0fb03b30c1419a61a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
82cacfb6067046f7cf0406a7106ff470

SHA1
60386055bdac81247c669f26ceea5b110dc15eea

SHA256
b6a0f84d6003d1fe4074f8290fd0616ae941989fb953b7d08e245448cf590466

SHA512
f62d06fa191f293ae78a7fe948751ee9ee0da4b86890f9b226dec9fbc767dc55811e1ffcd50289ab5dc2e0a88ebff6053150b5fe41fedc47b4fb8246adb5861b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577426.TMP

Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
ad00cd71c8d9b6460927fb86726c770d

SHA1
9a5b279b79a524e36d847ae12a79e241711b6b29

SHA256
b531fecd18e6d8b025232066f0bd315973078f6c4a3073bbfc1c65947cf32f70

SHA512
c57c5ee33f89ab598b2e48c75f425e5470f6d411f33e065c63c440376e0fdf870566ec4fb60de49c5667a4e1ed7011c0032e682826df58ba3e8c6ba5216d2baa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
26a62a84aac2e1ee54bf6fa95d663db3

SHA1
539fd24187bdeda84e3e42009990e88c0b3f3136

SHA256
8552a20d98414482dbe32bb40da160881016608e66e378670d2a9a9c65288740

SHA512
9753526d7722df283251526f53e79799151f2254f4454a6a9da15bc5e4a3b5f8c5dde55d9bdf7c3b1123b15c3499c1c0b6f166185f22bad7c85ee9b3454636c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
273df9b3a112b7965614c3a02b8f77a2

SHA1
a6581919e3199c8405ac0fbf4ec9d2920f4f0025

SHA256
80debc0905458a8731dfb1c80fd480c69ff52a2dc2f5b395f5cd91d4954ff8ff

SHA512
54969fbbdb0f10d23ae4d38ba428c023371332f4532c102ec441840dfdb9008e298f5fd6f0d4cfd24b3eb83e1f3334ff858d519799a917a448cd5e555074142d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
934539f9bdd3f8ba8768c0bfce24d2c4

SHA1
88d41f61cbb9bd4b887c568452487a9e212c4cb7

SHA256
6f8b95e62a5bc256ff4eb0e418045b1a41ee70dbc4ecf91ae2339bfe2b97840d

SHA512
515bfc463076a8203c204e1fc6f46831c0cb68fabec93c7efc587ff99d7a7e2c6c456ccce23c10592687824141a34738a920b876297cb2a0e70d3f45b4e146ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
0d6d9b30afbd58a967d6e4ffb4c47d59

SHA1
87276a0ac008f7d837ca4493dd9587a564e5d3fa

SHA256
bed08402808307442b1ef5024b484f11ffe12dcb85ceba38f8a5d5323bb7bb66

SHA512
18b1d291d70f1a46e10cb1d5e27f293fbb8416ad1446af6d44025b34c3b0a0ada5852814f3ffba6cbcc965f207e93fd7aabc941b9fd6e8332b49e8c0b480e46b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
962ea706efcebd78fd561ed2c3dcf4fb

SHA1
5ab04133f069235d119bd452875a8d01aa8b2205

SHA256
50e60e6f6ad3ddf48554c5e5be59744e78773bb42ea72a8d6ec0a00fa805a30a

SHA512
5f1ae749cc9f4a51396069eae15a5fd00efec2740bd3420b44f138759a61783068bad93f31652eaeac6951f8d43a8913f858b0a8422f78e4455887080cfdaa6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e937.TMP

Filesize
88KB

MD5
56f5b592c1845a88d612c2e71d456c84

SHA1
61bb23d9d4451a94ba8eaadab6bb8efb679e2900

SHA256
c51c33c6d28bf349675a6817e80fc216e9c3fb1f81f2bad1e3e56a2308fe01ca

SHA512
395b6ccbdc613ff023ba552e83cad806565a448bcf6ba136955ac506a0d9cf51e8a3d965605e3dd0f3f3e1742129bad38dbef42086d14ae5f399de7a5d90917b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
6ca92a59dbf22904705d47eb477ad34f

SHA1
ab39a4cf2a840bcb16bc6c1749eb48727b1d8c54

SHA256
0a62ec27e305a1924298bd34d8460269f1026e144a8e6112e92896d28f411537

SHA512
fd22f79a44d602253e66e771ab013ec3c929daf84aa7ba6718c896317081b855c6f3379733d58829d033ae61c8816545c89cfd6a35356d5728bcc87019be9bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
551f0958bc51ba8e604031fb03602c4b

SHA1
8e31ae43c8d81790856ef4ce9de2dae3f3f0a2d8

SHA256
e39773ecdc6ed52c40d710cd0b0fc5c26d7f5efb46d45000fe5f9d046f2c9e37

SHA512
63d1ada09df7a60895bcfd79e1c6a9971c9572304bd7541010f9316cebfda878fce7532c506e91ec437ded64ab17bd551d45489037debb5fce2b1c608468df4d

Download Submit
C:\Users\Admin\AppData\Roaming\a63b0ac3136770.bin

Filesize
12KB

MD5
9fe277fbe6aea677db34baa90c61b1d8

SHA1
35a23fc95463f6fa0321ab12bd845b98eccde64b

SHA256
342502bf87c742141a19669965b00fec016b5cb832fed29bc779310b1b854382

SHA512
4b54d8d8b66dcc993213c5dd615e24832aa7f6ee76e68f169d2ffe15732ff67ae03bfaa82100efef5300d4564130ede3e976f08c6bc9b1bfdb80b323a67dc43a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0a0234d919204416ddb611d81d6a0a98

SHA1
23f1ea1c514a78e55e1c7340dafdac25a721db3e

SHA256
435003ab9175b8a27cca333c1518b010b0e434eb8a4962d94390a195090da977

SHA512
16d4c721992488ce81b9cee7da6c82e536306a568a75ca60d9160988b240d07bebb8dceb90d45e31487068634e44fd37b539b890dbb418a04bacf06e6ea7cb32

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7b0f135d6072b766de77cc3c0b518569

SHA1
b5de299e95b392b7097bfd63f71b1d0a0776941f

SHA256
a18cfb89d40323068b1fbdf8f4da8ab596aab254158e4b950510a503a8d62301

SHA512
cb2c12f933c702d17a49340569212323e4069da2ed119d16501a237193d2d02320549c7e7df9ef353ae2e136e1fd053595f308a8827586bd1ea2d7706f4a6578

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
551b4c22b82ea82cc14a542a1b3a7318

SHA1
3dcb05d26b0ac90b923beeb0b2e0b51afe5fce34

SHA256
2f36d52529f7e0ebc9952b0554ad2642c766014cc7fd5fe79153a5a3488e2539

SHA512
ae66000367810de4810f306312dfa8582fa040edd7f40c0569f942d994502c7b7124980ce9a0667dd59ca1c27086ecb0945621666ed18678a88c8a0bbc1f8567

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4298a8ec5ec79ab079ca6c153b5d5763

SHA1
e85a8bea9ad3481fd1254a5ffc5ba71b50bdca5a

SHA256
76c6b1c0d55a4d80b1dd1b5fd6829a1f001d65ad2d417108f912a071fb4551a0

SHA512
8aa681252de81ef65da7cfd8ce8924ba1ba27522018707055e3f8fce03e8a5ac76364021fb10d24f222ac8bf9d06549f4dbca9e24ca43c17e5722f65d96c19a1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
40ecc3a36843ade2ab6ea0b94bb4eff3

SHA1
68ff61af051d537341bac7e615b4a81c3a74976b

SHA256
3613fcd073ecebd2bf804eec56328b016b6bcc9ca1cb819e66557a849535b09c

SHA512
cd7cf962d1d0f414092b1f90e1f1b28e6020baae4caf820c009b2161f33e93e59f3f3bff94013978889d1380ab19f6d22728cd1e6a22263df06ff1da8993ed0b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
db716df814be0cc1cab3fa8d1f06b79b

SHA1
14f9b85857080de732e05d0c48b46d7d0a8bee86

SHA256
207e988bdd04824e3ebe9788ea39df9433629491d64bdaf239499fe78e1c9959

SHA512
1b6fddd9303e5c6b5aae9768ca641164f10c417be927a7c4a3cf992b68c22eb68d4145a83f3d8e2e1a095f171b573e7cadebc4c2157dff1640f76b22aaabed63

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
7aa669dcb3f10188b2d0d279c310c56d

SHA1
54952c4e79ce884f25d1d338e63ac363286d680a

SHA256
d50b8b6f5db5af3eeb080e53ea4336f12a81cc50523b0ff4a724f5cc46b30f5d

SHA512
1d5a141c47f401eb22864326a4d5799511d66c3a92cb91e0444a414a859cea23d46e1fd6fb01ab2f8ce1ae32e20a983f16a81e7ef9de8265407c67938dd31ea3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c32579515f6236779a6a22d121f6f5c2

SHA1
0cf08914299bc4ccfe6c760e17f9cc15296b7c4d

SHA256
5c0ed849fd675b3aa940f311b5567e60db3578e374c9e276f869f4b3601b09fd

SHA512
e07c4b205a9df46ca78b2da64975f46721f13b1fc4d27386aae0b0c485ef3ae7b221f3ab57fb0719a0753554077e2c9a0bc254d3a48ccfbae8ffaf7a45c10c9c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d2d8ceb407c774975d0f03d8634cc17c

SHA1
92cb9eb166ff8cc34170aba838a87948c2efa5be

SHA256
e177ab6851a659009223ae8f3a4e02038e5d64c0077a2d487df5f57275599b47

SHA512
169846cb01e27307bbe37928162b77e4b1bde5b9474908d8d1f530d4fea678a4cdac2f4ae406a1a26586cb2d8872588bd40bcee13471c350153f947a3c447cf8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a3f842122a0d8adea04acad1f5a3c334

SHA1
627df70af8b520b57230377f40df24c095c0fd11

SHA256
0cbc187f2fa95f2e991acc76b25a3c1d84f4c97b33a452bd3b231fb09dacc45b

SHA512
9fb0f31b97c937c5b234432b066773360b42160923eebbc25c417879a868b48575fec5236d32dc8fdd0a11492a717350c8d11284be2147e922edbbf40109eca5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b7156ac3552b8e38fa29a7eeb8005edb

SHA1
1bc350f20b69a066633a9a1753a13b0af5f3d342

SHA256
36c8479b305996feca065c1a0fe2545cb9b7534a3d95dd7900fb3d9c120df4a4

SHA512
dd3149f879b06d9642196f6d97eeecb10a029278483464c57fc60858b0cb86b4b67e51e4c5b090085dcdb59941a7009f4022eabedb5c0b12be0448617e95b58c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cd2ad369d3482ce8c26dd0b89d02a75a

SHA1
4c3e96ad250bb1ddadd742107d0141a612ef689d

SHA256
e2bdbd389593b03dfef6a18c6313743728beab11af4374c7b725123427096709

SHA512
c70ce5472be48aabb62a28546b62d02a6e840306418aa73983d0f3a6ff555bba42d574f7ffee6b5238639b5aae0a280ee79d3660452ae9b95c9911cfef08d26e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b2d34e379ea8222111037cc2358fab8e

SHA1
e3e31b4e3a0956cdc9fb8c67d5e701a4cd709b96

SHA256
061c5826ff617be063be870c07503cdefb8c371ba316d03917d5ecb27f84cba9

SHA512
03fb499a0bd578581387efbd44f73d283db0a64860bdfd75f2e002345faafbadaf2d92a9150d3b2e730178699e882332b893c4c47bf236d03bab2b9db0ccd926

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b1bfecb3c1ec11f6a4c71f5d6c80da5f

SHA1
6103b4dfb00c151476bd21ae7de3641b99207863

SHA256
d239588d0db5443654b31d4cac2773d2fd55068057358e37af7292303014210a

SHA512
7ef795394cb7836afe5c4f4642759a368f59e2a5ad4630792778e3b96c853df7e39e2ba67534d2b925289c7bd200421f6ccab0ef48d5e070c459e3aebf859c2e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
60a88e69e0afda1a5cea02529254b54e

SHA1
70f93bcf1adb14578cb43b08ff95c30f8f322000

SHA256
cac59c9a0fee9988adb4288e2c28050c1b3cd8115693fc939dddd2b5c30f3029

SHA512
47b310f9492a4dc428d45f15eed37923df185c9a2e392d6f310f7758a92511d579551a42d8dafec811e4c7d8a61d2b3c07af17728438241479c1bd82f6dfbb41

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e00e04f52607bd9d6ca8dadc976eccdf

SHA1
f006bbdcdb76333e977b755d66ab9e04a9b04955

SHA256
147985ed90817197cb4ca8503e006270dd92326d2da3a4e44e45f72dc783b397

SHA512
465458697e0c708ff6f8665e24282b3efe9428954b82d74d1510f6c438cd83fb91d72525bca0235c33d3585f04dc90763778d9fde048f9bda43328d4191d0648

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a070c376ea8cfaa044cc66a3f42d6440

SHA1
49ffa36d5e7933da400dccbe5da80bd6372d29fa

SHA256
59f31dbdfeec3ba3afe26c96d7c40af3c0e049b55bbc6dda2b408bbacccb125f

SHA512
2cddd22b189a6dc02ece8d02cc3a346a6816fc697f851b4b513f42aadb3ea806dffaaf9496704e916b54a8466199ffab6511d9c0f69bf49e816cf06638927dfd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ad99a567c217ae0a22d0bc82f75e4b5e

SHA1
12b4d558092bc49bd5ade80b1a2a29cc8226d3dc

SHA256
715ad0967f021542eb4f59b2fda10ec040e43762ea91d85e4423ea0bf70071bf

SHA512
1bee3a73c9a2e5f63cc440ce7620a7bf34c59c4e9174f3602cea0808c72307911b0fd6864ec5293af9b63102377e57fe57b267d34330baf417bb6cb14fe674d1

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6e6719f13167e30ad9e571fa31894ee5

SHA1
3db98290e80db2e738a47c0b2fc3b69710ebae83

SHA256
f1f2cae5a7524f1c28484c32bee122fe35cea95887eab753e3ca14e20a826b2b

SHA512
482ee121bc8b64bed189264bec4a3637608154b1fb372627c854a6b4e6730c9171b8dff6ee97824a69869d9e806ad403f7bc4507dc8c0d55acebbdd72d9d62cd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b929223ad78c2a25a6b1589b0744d5c4

SHA1
99791415beb3761080d1df9310dd6ca39e6385a5

SHA256
a99ba44e273176912a8efca32e369775f141242218d27541aa2d608fea1302d4

SHA512
3f23bf3fdbc1eaca618f72cfc67df22c77c180320ffd08498c9a4971fa3dbba2d9e889ab2217a1dd488a639982f034f1d1646e3d2a72ea163f48aedec3f02406

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
f4425e50d41fb59f03096f08b45bc6fe

SHA1
6524877de03f1928dbd03132f2fc0748b2ec45f2

SHA256
b459e13bf151a9d89342aca1455449a4bdaf0bc0e6ccf149ede7276c9fc5dfdc

SHA512
2e0ef59ecbc7db947eed7f1902befae0eaf03e6839781cbc1f73864984be0caab32760283e3fc5a184b4158ba9995913fabaf0ba7393b054a2d2a2768ed444bf

Download Submit
memory/436-22-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/436-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/436-30-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/436-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/436-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/664-132-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/664-278-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1368-291-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1368-137-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1376-559-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1376-237-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1492-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1492-222-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1492-86-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1492-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1504-205-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1504-527-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2176-208-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2176-540-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2180-11-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/2180-19-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/2180-116-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2180-21-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2472-193-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2472-75-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2472-73-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3380-223-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3380-555-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3740-539-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3740-610-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3920-250-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3920-280-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4016-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4016-56-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4016-62-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4016-89-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4016-87-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4104-161-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4104-303-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4164-117-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4332-178-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4332-315-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4680-192-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4680-637-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4680-334-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4900-136-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4900-31-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4900-32-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4900-40-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5000-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5000-93-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5000-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5056-51-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5056-43-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5056-49-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5276-279-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5276-652-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5392-653-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5392-300-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5432-763-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5432-543-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5520-658-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5520-312-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5640-659-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5640-320-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5736-678-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5736-337-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5776-599-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5776-557-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5896-764-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5896-569-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download