12bd1ce52e5361cee88a6ac1f5d6997199b630fa165ae071062f801cae89522d

Analysis

max time kernel
15s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
Size

4.6MB
MD5

43e12ddb24aad431b0a7383f4c771bf2
SHA1

750435b39930891676f2207114e38ef451523a3f
SHA256

12bd1ce52e5361cee88a6ac1f5d6997199b630fa165ae071062f801cae89522d
SHA512

1fdbdaed98bfc62fb007ca47a3ef3db31ba30a980a136e7edfda51eecb6815adf39182f4a169da17d3ef69e85188ed50f4f2561f18b26c8823075c7b7b71dad6
SSDEEP

49152:nndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGC:v2D8siFIIm3Gob5iEDUyuFC4Qmd1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2828	alg.exe
4936	DiagnosticsHub.StandardCollector.Service.exe
3200	fxssvc.exe
3524	elevation_service.exe
2484	elevation_service.exe
3196	maintenanceservice.exe
4004	msdtc.exe
1412	OSE.EXE
648	PerceptionSimulationService.exe
5036	perfhost.exe
2784	locator.exe
2508	SensorDataService.exe
2480	snmptrap.exe
1252	spectrum.exe
1332	ssh-agent.exe
844	TieringEngineService.exe
5092	AgentService.exe
2984	vds.exe
2840	vssvc.exe
4268	wbengine.exe
5172	WmiApSrv.exe
5288	SearchIndexer.exe
5788	chrmstp.exe
5928	chrmstp.exe
6016	chrmstp.exe
3484	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e1a7a0a6bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\java.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000858b3176a4b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b9e4476a4b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008773d76a4b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c030976a4b7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9a3c875a4b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fada2076a4b7da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133621055894044456"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092650b76a4b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fada2076a4b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000217be075a4b7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b8c1276a4b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4012	chrome.exe
4012	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4012	chrome.exe
4012	chrome.exe
4012	chrome.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4668	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
Token: SeAuditPrivilege	3200	fxssvc.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeRestorePrivilege	844	TieringEngineService.exe
Token: SeManageVolumePrivilege	844	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5092	AgentService.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeBackupPrivilege	2840	vssvc.exe
Token: SeRestorePrivilege	2840	vssvc.exe
Token: SeAuditPrivilege	2840	vssvc.exe
Token: SeBackupPrivilege	4268	wbengine.exe
Token: SeRestorePrivilege	4268	wbengine.exe
Token: SeSecurityPrivilege	4268	wbengine.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: 33	5288	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5288	SearchIndexer.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4012	chrome.exe
4012	chrome.exe
4012	chrome.exe
6016	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 4200	4668	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe	82
PID 4668 wrote to memory of 4200	4668	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe	82
PID 4668 wrote to memory of 4012	4668	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe	83
PID 4668 wrote to memory of 4012	4668	2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe	83
PID 4012 wrote to memory of 4868	4012	chrome.exe	84
PID 4012 wrote to memory of 4868	4012	chrome.exe	84
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 3628	4012	chrome.exe	93
PID 4012 wrote to memory of 812	4012	chrome.exe	94
PID 4012 wrote to memory of 812	4012	chrome.exe	94
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95
PID 4012 wrote to memory of 2232	4012	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-05_43e12ddb24aad431b0a7383f4c771bf2_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2cc,0x2d0,0x2dc,0x2d8,0x2e0,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98491ab58,0x7ff98491ab68,0x7ff98491ab78
    3⤵
    PID:4868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1952,i,1383411440189464495,11787158102503471933,131072 /prefetch:2
    3⤵
    PID:3628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1952,i,1383411440189464495,11787158102503471933,131072 /prefetch:8
    3⤵
    PID:812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1952,i,1383411440189464495,11787158102503471933,131072 /prefetch:8
    3⤵
    PID:2232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1952,i,1383411440189464495,11787158102503471933,131072 /prefetch:1
    3⤵
    PID:3968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1952,i,1383411440189464495,11787158102503471933,131072 /prefetch:1
    3⤵
    PID:1756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=1952,i,1383411440189464495,11787158102503471933,131072 /prefetch:1
    3⤵
    PID:5088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=1952,i,1383411440189464495,11787158102503471933,131072 /prefetch:8
    3⤵
    PID:4688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1952,i,1383411440189464495,11787158102503471933,131072 /prefetch:8
    3⤵
    PID:2252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4852 --field-trial-handle=1952,i,1383411440189464495,11787158102503471933,131072 /prefetch:8
    3⤵
    PID:5628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1952,i,1383411440189464495,11787158102503471933,131072 /prefetch:8
    3⤵
    PID:5388
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5788
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5928
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6016
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:3484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=1952,i,1383411440189464495,11787158102503471933,131072 /prefetch:8
    3⤵
    PID:5800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1952,i,1383411440189464495,11787158102503471933,131072 /prefetch:8
    3⤵
    PID:4248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1952,i,1383411440189464495,11787158102503471933,131072 /prefetch:8
    3⤵
    PID:1464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1952,i,1383411440189464495,11787158102503471933,131072 /prefetch:8
    3⤵
    PID:6028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1952,i,1383411440189464495,11787158102503471933,131072 /prefetch:2
    3⤵
    PID:5056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2828

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1884

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2484

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4004

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1412

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:648

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2784

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2508

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1252

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4448

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5172

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5288
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6076
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7ddf8fae42f3b3fb3e9e6cb1c2b06f5f

SHA1
67e3d991e80327fc34a31caedb80cecb2ee0e801

SHA256
a626c0c15644d1a76f810726801b1fce7ab6f42956b8de50eb1ca13828e6a1bb

SHA512
912644870a038bb7b21464b9ad95454e8356150c7a1114572828150e79f8de0117fa3632c92c5d30e5d439e95ca2edd211cca7e636673f81772b0eaaa97f639f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
83c99fa073d698e76f7031d8537ef21a

SHA1
c287d834f6a280499de8f1727def33a766a76e8f

SHA256
f92ea6d86dc4bbf9158c1f9be49ac8cb03a6c4478429eb301e407a14d1f129ba

SHA512
cd0f246cf97661e3e42db68b3db1f5a212435c0ae53bf49b2a01910af1264daa97929a9477e2d4d9dd29bf9c37008e09835f6308291ae1f496177d6215163a0c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
202abfc43b128619233a88d67d0b5655

SHA1
b1fd76bfac5b2be8a6054e3dad6825b0692cb1b9

SHA256
1188c843522b86362442044d22a914488cf347869191c87c03ae7adefe0dd3b7

SHA512
f8bc96b570a4563dba73665c533a1d3f6e62ab03240c6cee4d2072e47574f0f1e0c4842a0ceeb974dfd40aa949d4e110cc72df6c816522120c4cac6012329178

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3bd4fa93ba922da55c4a4444e6bf21aa

SHA1
85c9b288254b462c88054b6ec4b0a1a2df45451e

SHA256
1e762725a510310a3fe33ac9d51142c3b27a31d6167c607b98ec708edaa656bb

SHA512
642e68cbdd24f3575f47a5960d9575e14c083c1ed4a946197f49432b4478ec7caef428b5ba40e2478b22c50487f62c3dde4adfbf9206080f4a8ab86157ee60dd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a427f54ce89456f68b8d85e839ab3fc9

SHA1
e0a698eab6de3ba6c912a9ed0de73b29fbf97ed6

SHA256
56adc8e1b6e04d040f3b9f7c02575b923f1e1779895045a7d4c1955eca010848

SHA512
d60a1fd2f0b5752ba4d201d8203bc6379cf48bc49767a3258c18091cf30df285ef266256e3b5dc9dc0efb700d0cb0c89c2508a5d1423fd030b73bc688a2b6bb2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ca5a1177f36e4da8a7e96eee07a78870

SHA1
a36101fbf7e116ab105cc92f9f429a309b1258a2

SHA256
0d28fab84dd52f154799dc71b6a9d3b9fff6b383658b01a26a7be81d24f5cccc

SHA512
6af2126607985a4850764960d15e7bb44f7efa60146e7ceca8c7855f95ed1a81f03d59b1266df8ee7a1f77abdcad2327e89708f8bed9c998682c114e247a7a8e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
44b69a9f06761de071fa4637a63fc31b

SHA1
bbdf1e54337fdaa50991cd154f83f29223d46dab

SHA256
98653eee6c60f7cd7fce010baca2657d389226546473bb6aeaa288c12c3cd15b

SHA512
a66310807ceee8e690fd95b7d4d3da693f7323b869729a2262724262a4b9060dfb2c71b79346c920112453501364bebb4d1197f83cef15ccc8caee83167e9c26

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a0c1288763d57047b49c87fd7b9f90c8

SHA1
1a32eae68ac8a1b1a26d52069b4ed56e41efab6b

SHA256
059bcc1c7b646901fd968145360256b626027ea5ec851ad955ca28043fa9e1b9

SHA512
45dcc966ab7472db69b9679bc25e2bb3d0f3dbdd90b322156e744b657f993c2a9ff7fd72c7c7cdf438dfbd6f7e24c825e4dad2c6e2f0ae2f4260880c5f48ec7b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
6c984b2623683d6f070502da17a38afa

SHA1
bc514e73e19aad73e8fb935b2ee59eb201c4c719

SHA256
5752c245bb5573c168f1fd5204fb8a583af68c1033f9a861e38da296a61f9e26

SHA512
398db9c72d1cfa459899db6a789d5dc76ebd241656a3422f8cee6307d7c629c47b07f32ce358461e4794c71f5b15c81c0242868754566f394b41f40c5bc0d793

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4a6072614dd7c814ec3911cfa47c1ab2

SHA1
13acdb1cb25f78c229123a99635b63de1dca2bda

SHA256
bf55c5339ba616de619d6c320ab1c45831810395ef20537259471947cac5d871

SHA512
aef81ed882e89c6f714756939c2776ee01687bca7e474fc1309a568ed7e5204e8e2f301cebf21d35b26c00515e4300be20853e2f42ed367ed1673bbeafbcd7ab

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
52158ff9918e6ae16aabe634488c9701

SHA1
a527f75bc245c19a678762e3032a086fbfa7dbc3

SHA256
b92d6db23f76e8eae6683934101ff84762967e3d8377193251d83a1c3ac29052

SHA512
7f5d3364503738d47510a751dd00942bf5b9b2f8e93101120ca5a69c8b0de2f7bd8270c47f9b457727c92d4f7f7dce25d693aa21d039fb04fb58dddeefc6fa3e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
2.0MB

MD5
02a6b3451deb7950c39b426831b705ae

SHA1
21eee3907dfc7c09b0476e8f278b98cf4eecd05d

SHA256
4e94b245f25c4b72ff1d57f8704d6ccc5a4db23dfac6a1e24b9119324f2e1c97

SHA512
1527e3519a8b7e15e5bbc8f9abc675493e525233b7e136e7185e202ec69f0b1f123beb3cc9a611e64912352d8c27a9690290c8f3b037cc31b46fd51a62e301b7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
512KB

MD5
455f23e55f8dd02a1571c51080bb7a1d

SHA1
130d55c3c1c80e957473325de3c33ba45c34fe62

SHA256
8874c624b68d78d52b77c96df569b1a36aaccfbfa8302ae2c320be20b1043998

SHA512
d7766db2cec3dd6d43630e0e3d7fd28daf901f97687905dbedb39ae512ef6bc7ff5ad64b996c3b89c6045c81f4fe4a396e6f65c4e52f9a12fd46d9809d0a61f2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
3.1MB

MD5
c7405ef62990d37c4804c0796e2f708c

SHA1
a04028d66034d1ab42a5e74f783320cf7b84b4e2

SHA256
d5ffcd610002d01d8f31ba5e02a56e2bb6a42fc9d466e3fc6b631c25c01f9229

SHA512
9761d0d9547d5e88bb2fec617d6dedbaf275b8463ac6ecaacc2004713dfbe8215853369cb693259524cee38c38198f5972f9c34c584e6342e8ce4b9393aaa3cd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
448KB

MD5
c84007e4159d370d56fe2aa274a3d8e4

SHA1
62043bd2668453ff2744231b09340b3d964370da

SHA256
fae5997a47d6b183d7550e50e522f5ad2ac81751653094b6cd9fbf551d3ef6dc

SHA512
8c45ab24b0f2f66173d00c2df2241ae3e6aeecb3a4494691e0621d7674578fa202367ee5fc6fd1a09cd0b3ff21633f2b635b9446182e6b883317dd8ad9ffe73a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f474cb4df4701aa1a8a4c56154e26673

SHA1
78cc640d3b7886425bf76968a279f841cb06b38a

SHA256
edcdfdd090137cc7632e89820649940d7674617b706259378f8b4bb2f11d99c0

SHA512
bc19e441642f64a247e2ead55689f41bb000248eb855f3b9c16653402fb0508e81ef1b7a04d557bceb9be188f77904939ba85f8f5b3ebe279813f0fa758a357c

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\92ab872c-79bb-49b9-917b-d2e0318f710c.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
252243d837490c444373e887c50b971a

SHA1
7a31e959faf7ba05aa676c9d0e2460c9390c574f

SHA256
0669591f64f86676520d6c71213db3a22ae337dfdb9f7a5ff7e628b738a2608f

SHA512
5964eb39d8ecce4f1d7f4c4708895c4b47d87a0f40c97971b8743cbff5f186b755d1dc827b2e0b6f0f8384a03a63f2a82693a5419e3d166ae73f366ca2ec1e22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
772424160a740ab46f10d75ee3f72e87

SHA1
ce1d08ca4145f6a14ce3727642af5a997f73d1e5

SHA256
00ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84

SHA512
920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fd4295f08c945461bef59b8581c6dc67

SHA1
6205ed8c6e2a8f3bf4c0d3ab345ff649e8d594d0

SHA256
14c933edb1d26c3edbf324a5c1a2107f80b2b0af62aa46431a53d1e639ae83ab

SHA512
a7b372e6862a7ff6cf67ae290530a5a3d9f477b0212389929579348ec8d323df19b5f2383f10477c12ecfd796065a8d61ae51d3ff3bc14705c516034f8b320c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
62c091ac67ccf795158973c015481274

SHA1
25dfd9c116bb1fc73f3474363696157605bc7ba1

SHA256
635ce2d5de583126611561d16cf4e6289c2a6187efa679215ea28c9df7f90ff4

SHA512
b6ce817f7deecaf928e4fbcc8677f0102e9e3b55aea2b3a3d467c1603a19ee946b89b4e4135aef9d73ae6d5b13c00628beb80f8d17fc94e1c9961df77078e8e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
39c1445d14c862cbfca98ae7a62af0c9

SHA1
03aa5f3dc423e53a200dd7bd3541be3efd69b826

SHA256
47895efb049f3d4052e1fa87791554eec76b04d2c42da5fcbb1a9a0582db77d4

SHA512
366450f17319e2c83d770da3dcad86f9d65f0b4a87314cc80bdc8e728066eededd9e26ada2e4ab97fb5263d4b219294381ee4ffe72fcf12a57b95443ea578774

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5769f5.TMP

Filesize
2KB

MD5
62ef0b2d931dee49ed513961ece66048

SHA1
75ab8dd2d029abdc0701a541bf3076082b6e0c26

SHA256
2363d110b62787968a21ae43497d60d50ad3e2a713303aa36834d810f996344a

SHA512
ab8379f396349faf8b51cd6ef4cb31c2d16da749b9902654227175423872fa6d81447d28926892602644a35b30f8bcb9412ee90b0eea93108cf6eb1b8dfbea94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
cacee61886eff5d4f477ffd216c2823b

SHA1
2e5fb47529ac4a310ddaf0223e88eb0734b3cf95

SHA256
2bce1de45ced32e8551af8f2e7f1f29cb2253ed0b5095e56f7a7575c2ea2d723

SHA512
0466ca26c25d4e501c45aa3da861a461f6e4f92803d7c554948afb28d56a70a4cd1e01c403eb3500cbdcb61ef11e5d59264d26985c49ab489fec04c7d19daa2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
ff295c2e1e3ff93b5c692bc8121b42dd

SHA1
8efefee4a4eb7a29132b5a0c3be88ee09d7935c3

SHA256
917a591f899f707c5719944bb0b007c469209fb27e91aae8299b3ef2ca29c3d5

SHA512
5b137d03ac6314a3da24045cd156eb5483822b2537c69e7073c7894524c629964d4346f2134411781e1a543fa9028b6be4b79ee0fe63d79d8ce8f5a3aab8900f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
95367eb8f3f98f37fe8c11bc77ba23c4

SHA1
73c041b3da2729ac7073f287b97c1d6e68059eb9

SHA256
4107fa6af17908bf54c79bf7d0254fbf19aa9357ad1cef8e7240d1b84da1a949

SHA512
7581e22577e53184a395098453da57cb85fd9737fd74b971a3e1a3460ed9f5a26149fbfa096885b397cff21a840000ee8cdf6792d18b3f5c4e02f2e2be773723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
40106285ac32e7c14010bd1adcd00ed3

SHA1
4ab81fe5666e40f811b915c9b1239bbc68cb1ee1

SHA256
2d2af8e44491ba824b424735425cdb99ecc6218cbbdb3d1cf63de9b0cbfbcf7f

SHA512
dedebd230c6e0cbd08da4d818988f71a84b40b239ed1afb081bc457576fa8210be97196649bc832e96e7948481d91fe595c3c4087719fea504606510b93b2e3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
284KB

MD5
dda758b7bd4162cca47d7528d960f077

SHA1
bf26869e7e22b305633f0633f5a8c1e39a613d13

SHA256
94022106c6c5d226a8bebae0d4dface561d76b6c2ef4a343278986bf64243afa

SHA512
88c9807d7e70c31a3c371e2ce77f7a9ef3456c2e8849591ee58505795db2c3c0c21e7617cf3cdb8980ff4bf32e34992b3665f61cf23bd0f803671d962304c216

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
7ce91835cd61ccd2cfd89bdc61e285a9

SHA1
e98674050efef943d78711ce4bc26459bb0c7b3a

SHA256
da1acb3c59dd4f01ecbfa2f54c7405c2c89f48de023c16a6073d5a5f1b141ea4

SHA512
638319cbd5c1846554577badda1bcff8e4d5a0f0f1a155637e8ed549ee46f74b4d93d5d9cf0a0732c9a6f46fbc6ed50e047d4421203c2947786e59548eb9f927

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57df54.TMP

Filesize
88KB

MD5
8e9acbcf67e85c672eda9b1e2df927c0

SHA1
1ead098f5f603107629a45a2a9f095f883cdbb4d

SHA256
577a70d10f2f7a1210f8908b968f3603f9254eaf6ad273f615926fb9f73b4aa7

SHA512
ccd0f3d6d443693b0e576863cd9d83b73180d74b5ca4b4593da66fcddf86aa83f1eff0cf7b67de37b88ad36d402cf0c1999cf3a5838ce1f15d25b66b44d30291

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
03a9e75dac4df0c48fd5816cb2684e79

SHA1
bc786a2e79ccb69aec18fa80f942df94c4abf39a

SHA256
aea0e2e220087f4e2db67f59bbd763ca6c7dad7b52386cd5ee6d76ce9976eb27

SHA512
bd10d17df76b6b2a71676d8b5111551b5a9d0712385befd315f4651269ef5c724025bca5dfe01cacc1260ffe9b29ef851f87245b5d05df5c056ee3af8905d3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
b3b0caaead79fc8bf4da3f7e5e8e3009

SHA1
7cf6a2dd88181a7b5adb4da508c752665c41fa21

SHA256
aa9e13c8acddbb58c5359ea0bc4af71ac146e88adab2236152a3c45b79858bec

SHA512
2dd0234b2c8b69fd7475ebe05458e27f047f01b05220ea44289f835326cc6318c106e7900873ef58b2e8f9202af99b9d9635fb2cacf032d4c4a2553682a1500f

Download Submit
C:\Users\Admin\AppData\Roaming\e1a7a0a6bb5459c0.bin

Filesize
12KB

MD5
987e5aab83b1cdb183299821fefc07ba

SHA1
9dddc5f766ec7219f6ce3a69f7c6b981e657a567

SHA256
1be065665ef2bb8df86fe48a5010e4a0fa7c9e52d890739ee23fb20e38ab27f6

SHA512
3aaea604818cfa88f8b4e3c79b6924e8bb240b622704d2649461c44303740129c84713250ff68a01f3093c497af8515d2c472a985109b4344b3b9799b696af4a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0e5e564c18f7c847b9b2c406c962e4fb

SHA1
2d3bbfa9ccaec6d6245878800eb4ca513920575d

SHA256
022085065309a0fff513164e1714074d76ca80c837405eb839684388bf252639

SHA512
bab154fd11666cfb71fd59a8282fff3cace278d329c7e92dbafa4107b61413973e2f9a2b7a6ceb72f6bc49d0ecdbf36e483c63172b5c16b9fcefbcd14364e88e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
448KB

MD5
744bb15ccf2c21bbc20da6b8f8c878f4

SHA1
ea70dc0ba20b101a889aacf34b8a0fd9b0ff9221

SHA256
680532be3bff99fd07a8290e480497a490216f6723690f2c822829d59be74c78

SHA512
3539f312033239aa04a836793f41af8fbbd0e701caa02d2abe6c3aaa9e53768e0886c4268a659be554273b14c6d992eb4fa6c031998a331531c18012bc4d46fc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4ecdd83d93d1126d0be1003008b84d2a

SHA1
ec6f6ecbe79207b0a28550d09d5e5a6fad340d4e

SHA256
5075c3d5315b85cc741461925f9c6d5d9f22483a9ef45f18be9840e9f2baadeb

SHA512
ab092d0709d5e0c5208e0e4a27285811502e855ac3462dccc0263a1ed5da3cafa9d788128f264c92838022e822f662dc4a17c0a7fb1d1f05ad275d4902f40fbb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6a07196b2db918c478905a80db0dd8f2

SHA1
03f8fe5634abf11a3b7a1eab1734467b9fd0032d

SHA256
c52c480b38f519374766530a9465318b4620b93d597f04b62d08c388e88a60aa

SHA512
e67ee880f615da3d66bf2f0f5f10af3244a391e509bc37e0d6e210592891ec2ef0d973c4e177c674326359c706bd37e619e60bd16711b7038e2592bb2de10a95

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d349542d095ee4b10cb1a926772af842

SHA1
33ba88fe1e3f59a4cff3dd8cd462561df0eaf59a

SHA256
aecd8f187ceb76e7a182a324c6adbad8b339b61004b5e5f557b851462fd77266

SHA512
955cc95acf816e7882fcd1632d6bebe235aaba3adf78e9584e3519b4c5c133be83978ea8399a95b2bdc5bb14f0a60d91707a2b4e37b8c0bcb0258d6635a0ea08

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
7de69145ace45569f9e79ae531fbfe3e

SHA1
b0b334b5ff049ce54e160331b9297b4302906ccf

SHA256
ece6c9873e00991c3a93212788cc569b695a50891f0d0e986a6a87fa3b320135

SHA512
8b5b2c4e73690b649826cdc38792937cdcf1580392d47a7c4b6efa856890048f6e94da64e1e4a6e855de011690d71e4ee494adaf78fa8d0599faeec532044eb4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
448KB

MD5
6b1b245b7958d5f9efae359f9c68009a

SHA1
a51f53ecd05b09dc9695691483a320323722cf65

SHA256
4fc9e38b930b3d6ec8fd9b6c37cb93bd587e014207df8c7d1d79b34b1a3804d2

SHA512
40db57e562f40022b4f244bc2b465773ecaab445c5b9cba1fcc8a7e748707f938ca373e78be1bc1227e9b82ceb585768fbb839038d395f1fb8ff976be39f999b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9e4cfbf35c75e941e17f282801e226ea

SHA1
88ec9cb37827c6a6ca826d472c3e076a37e0dead

SHA256
db9f97d47d9894ce04958df528ffa4e7941ef561edd636892ba22f2036fadf80

SHA512
15b2992ab5529e0ba68b556e57b3adab768655f5516b431c74822f5b3065838549ac9bbefeb5dd30ff6cf3d24946a392edf2b007341f81509a15a0974da8d712

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
7f1bcf79bdc4ae9c0db0268994adba0e

SHA1
64b915edabbed39e0caafb400c13d58c5c0cf734

SHA256
15bea354aacdd48eb25dce5755f36b7b293f5826d62487c852db86a163cba50b

SHA512
b58a728ff928a6a0f5f39d668379fbd44967bd96cebc47af44620b95da76f9935e97ada9542b95aa0d72208fd83f476034e4e6d7c42691f3a2070e65b01278e4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.2MB

MD5
afde413d0453630994346a1aac05b5c6

SHA1
4f7fc8deff3b6e8e49ceaf9b6b8f706c66f59661

SHA256
f808ef9e6fc4b6d481961f644b9d91fb8c3277e1c0af09a1201f1da6ed3cb1f0

SHA512
fcd4fb44b3762114ca063bb0e2be724443a1c75d77a1e5131b6daf88edd6712b13284e5b820903fafec75e3cfa68731db5919ea65c4d64b05aef6c836615459f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3257fe8b800157cda8144578d5c6732b

SHA1
0af62a16f83bc57ece5ecea0df29919b2234d7a6

SHA256
4f798b5094de0757360aacebac920ead44d519d2c4c8971b5eb62a8f262c7bf5

SHA512
7bd79d0df8577d1d661f57679ea49c0624758ef5ce8c6919c51b7192e4dcb44c36a3365515675f4d35f978bc38b6831ea4084671aaeae4919e0bfa761ec2ca09

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
448KB

MD5
834faa71c5becac4aae528182ff4aaea

SHA1
22f3fbe0ffc3f023e6742dd178c0da1c4d36a2e5

SHA256
20ff5dca6c9db4f0c085d0b172a7ebe930c19d22f7306c82b0880018b241344e

SHA512
8cdcaf9b29390bd64a7b7bb314f15eaa499d10c37ac258384093213ace03dc6c742180cb692c14f70a7b66692bbefcf1170ba90841c67640819a8da59e23c817

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
448KB

MD5
e767ba18b715c2ee6486f5fd6e2690ab

SHA1
a06ab6e1da91e6021400933777a634845cb2ee4d

SHA256
8fe9c6d0bac1728180cb7bdfa7c20cb2d99b9718519f7a7cf4f1ccf316e72e5f

SHA512
4ad6e64a87c0ea0a97994382cf4f37b39374b45e7a96d235749586d39d5798a3b8a313668fe3d59c4184fd3d56dd65cf983e4eacbd1c6094690f63629778c8d8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3301263510b45f6d46a94b8ddd72c4b0

SHA1
703de5e37025e57484431267a91aa45019382b75

SHA256
1c5dc29c8629720546f87df6288c276b2c4626020599f7462de0df34ca371b08

SHA512
39d97a62c47e4c20394e39b3f70fb8c800a733b49d18e51349cc25bbe463e65a0b043df19278955fa902ef41c7cda7ac9a82e1652e7eba9dff4df18ce8bf7f13

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b6e739cda6aaffd67ef31f3d5d1da975

SHA1
6a3ef894c78723afe1f6cd95bfe3e5838f60922d

SHA256
e6df2dcd8f620ad55e805526572d5357aaced237490d312ae614c00a3e0bf565

SHA512
72a31d48c60786a894ad8f8acd68bfc728544d5ec50891fb02dd442a716a0a1a894868149f2cc5c256f33ff7694d6b02bbc2e2bf2bfda5db2d1e49d7e8e052fa

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9e8d2f6a79aaafe9fe51b64ad24b6167

SHA1
678e01351c0296482e39c898424b39b62df4b684

SHA256
9ce67861792f7dacbb1c17ef62af4bf05ef06e555c0a0ec298ef9d53e045b1e3

SHA512
ec7c06ece05c1c45d8064a7ec2b0ebe16513fbab534ca0a2f0eb60cea169b27d3cd1e490d5eeabd919110d952aad287161970e03acba91c2352b116a6bc2622b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
448KB

MD5
30a77fee2df232ef8285df1f4e18eef6

SHA1
2fe74b85bd8a9062ad1f81c47a79b3f587ccc17f

SHA256
8fbf2809a43f1c64a8783264e91f98ff851de60e6180af6aa8fb6b83d6ae7ea0

SHA512
c8b1dd19247818f40f42604ae75b39889a16efd9aba1cf2420dbb7c45835760838077c63b48e194d1145ce728d457a1f8ee0451a0ab550b8f86abb85083c6e22

Download Submit
C:\Windows\System32\vds.exe

Filesize
448KB

MD5
3d46bec378a6aa65249b708a9d1afd1c

SHA1
d2dfd1ac47ae1b769c6f5531fb6821a5045c114b

SHA256
3a35a07e8b4300f665a8458bed080715799112b85d2428d2b90ee91ef4372767

SHA512
18bcfe19a06fc944cde1e9b4dbf3c46c4da2c6b4bd75fd6dfbae637007e4eaf8bfcc02bfcc514b944e4b76c2f80aeba638d5dacb6bf30d0cf669cfa976c65da5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
8be811dc4a892616b3d2e3f62a132b0e

SHA1
f5b6b521c89189fc6860a94f4f1bed9102195432

SHA256
8b49109962f7bad72931f66a3d5767f16e093beb2895577762dc29ae9134500b

SHA512
97b5f9fe6b8e7295093eb1e1112470372210c3c1a0efcf6b6d493613a67452ea3944cbceab0b94ab4d594cfa3c9e0d65ca9553b7475343325adfc6a58467751b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
113dc3a1a98f912ff899a1455771d88e

SHA1
02369a28a1eddb4f4dc54fea38729c77245ab4f2

SHA256
fd2da68ed34e2e60679f84dd1b221ce7c5c6ef04c37d7dcefe8f18982cae2565

SHA512
643d944e7664af61abb12b26814a22afcb3273e6f911791cc63a0aebe722745111e74232741e6efe88b4f41aacd63267782111083fcb4a46bbe71915f5439698

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
257036a0fb3d2768f2801e5d32b9ce30

SHA1
0634d123cc54fe889f179f59136e47357ff7f7d3

SHA256
fe6257986f35787b1ef9628e36a811d3484fff46899b61381086da82e363c462

SHA512
381a451ab3b3c97eb3546554811f0784e5341a7f668b9ceb41dc077d34ebd26fbb29b2e0ab21b2a52b8637b3998943c14ce60380b8525378d37ccdceb0f0e5a1

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
01dbd29b9995f7d90aada5f5628495f5

SHA1
bc4fce81d45b2ed4b97668d36fe112939174d9c7

SHA256
4b052aeba18cfaaaac2ce4ec3d883a5dd4812220a37488435d6faf3f09fe9284

SHA512
cbf425bf66c12cb1833c8cf6a335202003be51b478add42107a42e147fabdb8b3abeb694c93e5d8be7d8b3fc2c81600e7c80cf4692d808f3f071ac3e9fc147e9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
72b966d31ff46211c5f6fc7e1b880adb

SHA1
647b8d2e11df4fbaf784770113483e3920841c14

SHA256
19bc613439096c0b260bc326125accc0a75b924ce4a8725242941be69fda8277

SHA512
b595ce370001cec9d14863e9814ccb718ba59d6d149ef9f693a31e6bd4f2c08bbd4a2b090a3da7ecae85ab520b0d66fa86cc22f5d6f13323b45dd5d9ce39a736

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
20b5c6de817bec1bd30269f5c115bb32

SHA1
841f31adaf20fb819649000ba22c4487354822f5

SHA256
71f819d36fd2c8a1b6c6a72bc7ecfed5d27046b3241de1b27ae8db40ea9c6da6

SHA512
78a8c8501a46069acae4f425af41738ec9027faca55ae811492dc8e2ea7f05fd039b36719cfaf0687ac2beb5e297eb4ea22a38ef849b8e858c23beb9125eb256

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
227c8b2e1c394abbfb440862179153d5

SHA1
15d51ae4109980a0ebca46d29ff4cf1cd16640ee

SHA256
7c13a13147ca230801fcbbc1b405f674ae12953483b72380297f42b4c370d8d2

SHA512
5015fac3a9f50d3a64404c81200af6d4eff531372e5dcaaaf77547d35e9a0a28d42f4ad5b4202afff0f62acae99a96ef2582fa8076067637fdc69d4edd7ad807

Download Submit
memory/648-288-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/648-160-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/844-549-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/844-249-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1252-523-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1252-229-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1332-542-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1332-236-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1412-142-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1412-276-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2480-218-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2480-510-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2484-87-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2484-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2484-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2484-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2508-698-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2508-203-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2508-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2784-182-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2784-313-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2828-167-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2828-30-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2828-39-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2828-40-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2840-719-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2840-289-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2984-705-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2984-283-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3196-94-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3196-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3196-95-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3200-58-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/3200-92-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3200-90-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/3200-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3200-64-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/3484-743-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3484-558-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3524-68-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3524-76-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3524-179-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3524-74-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4004-117-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4200-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4200-159-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4200-18-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4200-21-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4268-309-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4268-730-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4668-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4668-9-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4668-38-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4668-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4936-47-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4936-181-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4936-45-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4936-53-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5036-168-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5036-300-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5092-274-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5092-270-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5172-320-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5172-733-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5288-335-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5288-734-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5788-595-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5788-519-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5928-532-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5928-738-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6016-579-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6016-547-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download