df6d9e590dd9e66153c7b39770a772606bba785875556c84017d62e247aa330d

Analysis

max time kernel
151s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 09:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
Size

4.6MB
MD5

9c0e355fd91487af386f20e035a285dd
SHA1

de1ddb68dc433494caf9a632e2b3c15bb91525db
SHA256

df6d9e590dd9e66153c7b39770a772606bba785875556c84017d62e247aa330d
SHA512

2a4a1083dfca85c70d087cccd5c690cc781350bf558a106b8431b6cdf0a295cdc96143eb423b4f5a4c44a3c7d22e4195a5ac0efdd78af07ae7a6d7d32b3cf611
SSDEEP

49152:bvuURFfSjB2ZAKQKIFihKwDOhIYz9RtHBDWeTg8iqSkwER4a1HecEPLcDmg27RnN:DSDiKwyhx4BER3AID527BWG

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1524	alg.exe
1424	DiagnosticsHub.StandardCollector.Service.exe
3188	fxssvc.exe
4744	elevation_service.exe
4936	elevation_service.exe
4000	maintenanceservice.exe
4676	msdtc.exe
2848	OSE.EXE
4636	PerceptionSimulationService.exe
3996	perfhost.exe
5024	locator.exe
1960	SensorDataService.exe
2084	snmptrap.exe
4080	spectrum.exe
5088	ssh-agent.exe
3952	TieringEngineService.exe
4992	AgentService.exe
1004	vds.exe
2928	vssvc.exe
860	wbengine.exe
5264	WmiApSrv.exe
5456	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\11e55c7792844182.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96406\javaw.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96406\java.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96406\javaws.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000468dc86d56d0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a03f746b56d0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1c8896856d0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dacb5c6d56d0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133648208303781927"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bc7666a56d0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041307b6b56d0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004955666d56d0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1516	chrome.exe
1516	chrome.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
3924	chrome.exe
3924	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3720	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
Token: SeTakeOwnershipPrivilege	876	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
Token: SeAuditPrivilege	3188	fxssvc.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeRestorePrivilege	3952	TieringEngineService.exe
Token: SeManageVolumePrivilege	3952	TieringEngineService.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	4992	AgentService.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeBackupPrivilege	2928	vssvc.exe
Token: SeRestorePrivilege	2928	vssvc.exe
Token: SeAuditPrivilege	2928	vssvc.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeBackupPrivilege	860	wbengine.exe
Token: SeRestorePrivilege	860	wbengine.exe
Token: SeSecurityPrivilege	860	wbengine.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: 33	5456	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5456	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
5884	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 876	3720	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe	82
PID 3720 wrote to memory of 876	3720	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe	82
PID 3720 wrote to memory of 1516	3720	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe	84
PID 3720 wrote to memory of 1516	3720	2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe	84
PID 1516 wrote to memory of 3168	1516	chrome.exe	85
PID 1516 wrote to memory of 3168	1516	chrome.exe	85
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 4024	1516	chrome.exe	90
PID 1516 wrote to memory of 3808	1516	chrome.exe	91
PID 1516 wrote to memory of 3808	1516	chrome.exe	91
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92
PID 1516 wrote to memory of 4268	1516	chrome.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Users\Admin\AppData\Local\Temp\2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-07_9c0e355fd91487af386f20e035a285dd_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403846a8,0x1403846b4,0x1403846c0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff903bdab58,0x7ff903bdab68,0x7ff903bdab78
    3⤵
    PID:3168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1852,i,14253471407530650867,17671275117450237674,131072 /prefetch:2
    3⤵
    PID:4024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1852,i,14253471407530650867,17671275117450237674,131072 /prefetch:8
    3⤵
    PID:3808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2180 --field-trial-handle=1852,i,14253471407530650867,17671275117450237674,131072 /prefetch:8
    3⤵
    PID:4268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1852,i,14253471407530650867,17671275117450237674,131072 /prefetch:1
    3⤵
    PID:1788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1852,i,14253471407530650867,17671275117450237674,131072 /prefetch:1
    3⤵
    PID:3132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4316 --field-trial-handle=1852,i,14253471407530650867,17671275117450237674,131072 /prefetch:1
    3⤵
    PID:4816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=1852,i,14253471407530650867,17671275117450237674,131072 /prefetch:8
    3⤵
    PID:4860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1852,i,14253471407530650867,17671275117450237674,131072 /prefetch:8
    3⤵
    PID:4744
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5768
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff67eb9ae48,0x7ff67eb9ae58,0x7ff67eb9ae68
      4⤵
      PID:5804
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5884
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff67eb9ae48,0x7ff67eb9ae58,0x7ff67eb9ae68
        5⤵
        
        PID:5916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1852,i,14253471407530650867,17671275117450237674,131072 /prefetch:8
    3⤵
    PID:6028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1852,i,14253471407530650867,17671275117450237674,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3924

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1524

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2624

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4936

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4000

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4676

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4636

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3996

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5024

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1960

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4080

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5004

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5264

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5456
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4240
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5fbb51d3c38d714a0a29286b4417119d

SHA1
3641598ce483318c3691699e8915197734427123

SHA256
91da10cac364a1a14088a47b015f80d8905ac0bf8aa8af035e517acdc126b2dd

SHA512
4e426115ef1b1221f89a4a0a6e460566aa8cf71794f33f9bfeca7bc014e2f70be7da2660f2012bbb730d05a8f732c4a8a6faa6a54bce30588adc43d4fb4f6f1a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
983d2578e9bd0d3adcae3eb219dcebe2

SHA1
a39aa297e6fdb024b9bf58fdd430ed9c8a19a0f5

SHA256
1566e07776e6c3a3d915307c476538a68da8713ca14a13ef37a46008ffb20a96

SHA512
62522709f84615512ace0c9a2263578e8d37aea884868a9b72aa67161e9f4a4b9ec4e82d145b736d245ceef2698ff066d69ee0764c4daf417d73867977ce176b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
44eae1ff5e787f592fe449bd6193fa15

SHA1
0b864fcbcf277d8227f68316444489e70e11df92

SHA256
bfab35752c8dbf9349b3aa7c92e73feb90b8d7dcc4964071a8978939dc8fc9ff

SHA512
d862fe4d97a20ae0d1eadf47c768843136636de91e27156f52dd6fdad70e548ffeca9f9bbe843095ab4ddad1af3fa39ce579f5ae07e8ee033a4154b04e4218df

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1f85ced78eaf8fd3273ecc96ab74340c

SHA1
ecae0554dd3e8170078b189a32a39c027cfa952e

SHA256
c1695460bc3b5fb608b7757c5abffdc777dbddec6cd8e83adba2b8324e8e60e2

SHA512
725ccb655d0e8a486eab30399c304ebb6b21d4499ed2465bd0194f95783a736438356cce59d2a0699722cb2e5c70eb4adae246b65227edf009e661de81110f52

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
57582def473b4648ba24cbcc6d6e8b75

SHA1
76112bf3bfa7156343324aa8a86b3b18f9c45474

SHA256
b499c6463a216b34714a1248846e6f147d18796603d0fd4514e6a34eadbf375a

SHA512
c4cd35dc60b7fbef19ba16c217d08bc1683ab8c15b7521fcb3985117b80abb1aa439fdb12b8ecaec5eb4e49b4006b20a1ce807fd0882adef25cebe5c883f0a14

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
8fd54f18966e67cc8aebe2e598cb1545

SHA1
8bf5607270ecc1fec8de2c13eb3d749d28c250a9

SHA256
2b7d69538886d769b33428fd7a573060c1616f7d9076efbcbe91060cf4a0845a

SHA512
2707b89136bfc1c50d5bf90521411e80361424f1f9cbb487f9a274aaa195f191080ea3ee75856f0c53c6455d4b39b175227f19b10b5f9d22b0a3f4fbe53745e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
a47d9779703487d796e6f7f0a0b9eb19

SHA1
087ca231d8d115edeaf9a3e370e8899a4f6ff824

SHA256
61fc14c047cc787509f8296187d787611f93a51b7953781af3a42be4039ba383

SHA512
1573ffd1cfd3bcdfee622dc7910f88986938cb4273fce61cfc9b46ab5285e0795e732e80f0818fa3b4e60a2f42083fcc758df995147f8b33c3548054713eac7b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
eb9331f2eaa54ecaedc9b879045fe54d

SHA1
71920f63d58b046667f600dfb52fdbedf2ce1830

SHA256
d51329baaf1a4705bd618f4e59efb50eb21a79130c5a1253c5b44ca71f15ed06

SHA512
70dda9c91102ff261023563fa85d5ce75ba51b5f11cf52b1a9a53a24ce61398d56dc4c1ffddc55b00e2acba2db01991152728a0027089fb9168991dbc1709357

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
7a308a15c9625bf9021a504cda86a91f

SHA1
5ea40c3cac347ede2b3e3fcb7944185e374d5933

SHA256
182adc5565424ab647afacb7d76e088fd381bc1cfec5b3b242ea30df7e9e8a4b

SHA512
8d959ade2a8a343b82df33485dfbc97d376e436b5c699cddadd30f282bb01dbaca8d1437a920c512a7dfadf7d3359099bc746d249c93831f6f939e45dced8996

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9b61e074c070db1685c02f62d5552e16

SHA1
3e76313b99dc552e2ee0e0a000a4b04e768739c2

SHA256
ef52049e2b9dc9b15896d8eb126e9f41227b1f437d9aae6630cc2ee46d89757d

SHA512
b7417536b678c2ef454c81c29d9191afaadcf1240d2ca0fc273afe924f52f5f180b18f05d8617b3a7e8d83f3664f6b2c50e4f6aea2de6e3ce4432890fba1b716

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4629250948aaafa9ecb6a39017f23ac2

SHA1
2edd36be8432424fbd781ef34ff6baa049485599

SHA256
1e988d8b005c70700b7ace5654df35b43179bffc580c26c69594f19ac4401c30

SHA512
848f5eb2d9b1e32242dbd0895fc7f6cb5d387d375f7e31c27f4ce75d2941d5f3e6b12725b85108dda382b4009d9ebad65cc65b6773ce07e8dab47205ceb4a5fe

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
94a8c6d3cb2a25fe499412efa4d1922a

SHA1
161708428e6b74c4f96880e44885fa67358ca863

SHA256
1fc48622d30cbe6165b2eb72b87b5c49d4143fe6ed1b573f5e3b704eec37fa7e

SHA512
cf9d783fe1ea859c45cb4d28c33295e407091531880c36dabcce44ff972450d425b63e2e5a56c45a209521f39a3d97a49dd55e4a7e8af59a96360c9c9cb13c6a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
f6c63ebc3b2b09ffc7d4ef1a46504ef9

SHA1
318bb456a3accc98506d0810b6457e726a86c253

SHA256
9e335fd02b281e5d3c61f650c3789f9574994cb4bb8e1da4ee397d217f6bfedf

SHA512
c03cfab20d71dd67cef29e7ded9a7f8a1b53cb0a1b21249f6dc268ee990e635ea7d016e7298b4d57df8476ee63b89a3e3208760005742fcfcc84d600b6917b9a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
05e9868e3a11296e166db40bcd19806f

SHA1
c4c5763cff9b67704d478504b7e7c2bf59b48027

SHA256
9c4e13d891a3380a7dd2eda7b5e1828c555ee2fdad2a3c0fdc67f5184070af37

SHA512
05fb8a18b5d961a1039a78853fe0cb7d07f122c3fc39a18d524f079af379f0b14995fcb384d6831f78beb2b94d14f0baab3bf6398c7a3a0489f9f2cac648744b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
591ea675930d8d6f86a17c23c845b87c

SHA1
2dcfce6e6104143b07063dfcb1d9a965a042b3b6

SHA256
5611f53ce9ba2856662f4c2b56109ae52edbd3c11b094e0c20212bce4f4d6c36

SHA512
40d52f2fcd9bcf70814cb3a427d720da1a7c9d8ae6864eb147bb496662ec2630bdf761ad4078014ef2e7e4292b67da18e3c5fcae5669173aa221eb27586c7404

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2a71d3cf1135ad99865271bc3629865e

SHA1
15bfe1e7516a767ede1e3ccc3352da342071ddec

SHA256
b06230cd92c3011e9c4fc2e4ef378ee8b3b106d7fb550bc13d4e11ff122cac4f

SHA512
c1914808e4d294dddcfedf90f576f26841fb1f939c337c14152df5f34d6b973d88c18d830e4fc11b8cdd6028055e94c15b6bdd7fe825d1d4b72d4f8f91ffd8fe

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d53c20b6d83e0ee39d366894fd1e9e22

SHA1
c1b67c706618cc6540f71b485e75ddea7bababa8

SHA256
1c8eca8e190a722b69e82e43a86105755533a14c4027bfcfde1a2605a66d1f92

SHA512
689a1489a7445215feae369cc331fb12672ee98a28b17a3121f436982453412c703275d2f5d59cda5db775f280216fd0440d4cb720af0a6656f8289fa1c3fa95

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8e9b6b665305ecfde68c8f6b8bb97b05

SHA1
296ed70869b1f0cebc6404cec705e6e1468edb80

SHA256
bda8e9c2610f2e3f473435b4e96363023e3cbb02f82d043ad2368ecfdc4f34ed

SHA512
38affe30c1e12f6062b64eb1b2577b4784a3d0bd1b7f7c45f17c86abf9b3f8aa54f73469ba936354fc840e0a3d0f3cf50f4d126928d495d846e2127c4dca6f1d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
9c41dc8664bb769a19ad082abe9866ec

SHA1
d670b4fc312dd316015e985ba942473f744c8064

SHA256
e11dcc78c45b4457e5b30c2d83fe0d7bca4b87b1901ad0e55eb84904d934db90

SHA512
dd5e7b9c9b9c7518f4d692c8e886170a63363d1935e19282d3fb038db1b9dd079f6647efd0d2f67daca0dbf6c859657d8f9581f813afb472c7953382ceeb5059

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
8565e818d92964667f0127043fd62558

SHA1
d09efe548cad894cf09bb40699dd8319eec93bc6

SHA256
30286ff39d650d32e5d288e37c7a57a885465b3cc055438d4bf3d002c268be48

SHA512
14f24b8fe11aeac0c8e07497b3e8469f4ec3e3f91d537bbf6171cce5b8ce307d5b93cb2afb2ca6024e93cbb267857ad0ea575b6e7158b1c828d37b6c14ec5226

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
cb4489357b80761c55771746f73160a8

SHA1
adbf58b280e54ea9e3f135891557fc5fe9019fec

SHA256
1b0999eb2eeae6caa39abd0090125365814245148b7f87fab4aa70a34817e3dc

SHA512
e767d0ace8a7d6403ce114141791fb80455ef6c5d2faa0e303914e53d6546512b6ec98e2c5a00f34b9c5e660f35bf67d5151e06e23e37c293f977dfa176e53eb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d450f734bbbebba6db6b958362460c5b

SHA1
23ec2ecca5cafe091f5b0a6d026edb6fb23082ac

SHA256
5f8fd51b492810b63cb8b9f7121a65e4e6452597396665d83bd1a23a480f937a

SHA512
6249c10a3995c85d0cf81aed9c679b0d4544adafea2246720d3d6f34e585bc55864f6b70b5463bb8c91df51458eb8d6ccc79be060829625b0560d7e1f84cc18e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
c30cbd5557dd9dd6e21882508db2e3a6

SHA1
c8c7a8f1c38f173e887c87d545d0fd040ef9214d

SHA256
b849ba18162f070d0d29e6189bd77f34cabb8dd60400e2fefa00a622ba5300c2

SHA512
44d0d2f17bfc865cd8f39246f4697dc160785233a4fc73182fc0c07d721b251391c734689bf1085052e8b31025f0023f7e0325917626b2f2a847fe9390af5f80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
91d9cb9d7d7e49f97c0e0ce64d9bc4f0

SHA1
75ba234da4bb135f8b26e3abc3e095dceb3165cf

SHA256
3ae5b0b2172f0236544cdc92940c2699327c60442e7c442d3422b033117b642b

SHA512
e84a20bc87c8e83f7be0fb2d9e9a9b93e235f91d357bfe652e8c932288f505d3d6a5ab60aa8a3d1a69f951835d8330ed11a1b71e2308a5dddfb6af3d1770644a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
970b8e16945f53423a3a99bef557e6f9

SHA1
5e04791e81f72f4612608bbc839cef7828eb1172

SHA256
fc1f16727d91c9ab0b6c1e158e5d4d7c24b7272b3110b154fc7ec7e46b190207

SHA512
2c20bbf645b52135a7864e2ba003a5896c7a3fefcd25feee3bcdd5b59a9a61cb43b632d857feaa9f9120bd1e405b76ee287bd063e84f0d231163634c4a40deeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
eef3f12327e5444ce1445b521dc1ae5a

SHA1
bd663c77fd7cf560a3440886a49f356557c65b58

SHA256
846e37588d1171b7717223dd40d665f6f87f26e54f5bfca98018165a01d9c7ae

SHA512
1d576d3e72e0c6c10461b7dbe279816dd877a5c574fb72ffc2ceaa97633d0c3169826482fcf10c6289978305b3dbe929f3d06712f9c211d3ade83bfd67b5c9c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a10b5db1383d1f9ed069bf145956b958

SHA1
3ffa5b522188889d938eff89dcb6f158d7afe297

SHA256
713d3e2004f9b40f3a2144ffb0970ea6c7ed2aad75778a7b5b7a1baa5dba4b51

SHA512
26b6ec5077b0105249c374f5283380d6ae6b74e1dbbbfd49df31ac63b58213f03e67b34c4b7c41135c3bf24622b09339c7f2eb5d59dfbadefcd81a41bd015bed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ae25347f6b9702f8ad53abb5d77b7656

SHA1
2f3970493127043bba36ed5b6721187ffca22d39

SHA256
6c919f64c202aa4324a5093f0a32dff9d1f8549a3de86aab6a4b2c53945368e8

SHA512
c85dfbc0591392ab6b75bb3c64b22b5eb490a7a781f599635f1fdc7d2278f1c44d937d7160fa5efc07a9d56aaa5a82b340d2e6615cd537e39d48f8abc8938c0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe580d2a.TMP

Filesize
2KB

MD5
bd2d5b6ee99d521f8f46f62ddc501325

SHA1
123081c80dd7e3761c1789f04a5cdbe5d2685019

SHA256
adc94d36ba19ae63d8eae52fcf9cbebb21fad0ccd93e5d5a7e32e68adce43798

SHA512
861445e8e756bf21b8b7e686f05e7bba413335229d2b43bb0117e5204494e7ffaabd8486d4e2fa77bdae7f46d2e573b05723619c2a4f1691bf29d61d52ec1ef1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
7bb1d8eb18279e7e9227d66c91c9fbbf

SHA1
77090f3e11e89b6a2d15994442c4a99ce7ece3d2

SHA256
6b95aa6496eb12749265037193855af2a9a1f45272f7ab26685ca2e597f05f03

SHA512
6544d11041a25d91d220f0d26f845a01c00fe94c5198745a7cd1248798b4fa6cefb3829eb87ecac771148255f16046954e1b81ffe9e23e1a20bcb0db72ed73ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
a9c0bb26ac4a3eb94e197e4e8e0384c5

SHA1
46fc74f3e020154fc3fc95e581f0782a9e3faefa

SHA256
b5d711e7742d0901f484ec10f0dd39f6b6dbf119f67d2c3c38e4c5a68c463775

SHA512
3f0ba776aacf0b74b424e1c01c9447d31c9816a37ffdebff000a80fcc32094a0826ac24bc7988f171d0918366a35fe75bccaf2554a4deb28cb3fba70458217e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
f9f572e723a44815f5edb1fe0257ec7f

SHA1
8e9854f4fa010b9ae3a80a8acf6b5e644871d915

SHA256
bcaae99fd2858f844494b24197750f6f9c8a7ecadc3a37ba1a85355e6884d8ab

SHA512
d56c1a284edd07aa11436bcd18331fc8bc32839e90af5c2ac6f5a169cc9a4102de630b2db4d40fdc9eda5efcbc65f4062c91e17217bf984bad99f34905b66aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
de9a4d0d241ff6f5d50363c6084457d3

SHA1
13444a15bce10bc0258e1af982bd2a81322fe22a

SHA256
19e0b99784e04af05964ac072cb2ddfaf1a18b1175fcfcc6aee8a9e7bee53759

SHA512
086c4bb1f4662668cd278215eb2c7949f22dc1b6522ac32c5a9d0942341ab43eafa218bc1d58724aa2721339b023708fa879d803712104c7a5f2ca69341879af

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
93e793d25fdc5ecf2605bc6bb8dec9cd

SHA1
fca1a06793e48ca619da4ce8ae291b88cf60e812

SHA256
393109ec5c521bd3516e534e087b3e3a61b59fa06bd6913a395f91a31857c17c

SHA512
d56d6713b4ed212a25ca36cd27d3660aaeee1f75cd0a3e29fedae47b6898823abd6b4a3d021adba67d6b0f31ae3ea118c708a206b29839bf0549aadfe3ffca70

Download Submit
C:\Users\Admin\AppData\Roaming\11e55c7792844182.bin

Filesize
12KB

MD5
b2a0e6f6877b60717408a6e8e870bd74

SHA1
678efc028ef8801efa154a16a9f56e656ae3b022

SHA256
194bc85667ab79ae26e8212300d6ffbf75a3aaabee14ff7b6082e9394c94f875

SHA512
95ebda5dd8e3ac20c90fcb7ea702bb3c416052be964af9e301cc30f58ce217b3ed481ba668490a7fb1a29117c911b4a7d2772d1eabc17a98eee1414413530560

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
717f3e8ad12de67397299f77014fe875

SHA1
1ed1ec16b25a4fd2807c9c94c33a57f50170c410

SHA256
be0434da26601e9ce866659d1c22e6d4f46feb108e441885aee833e12e3d359b

SHA512
633413f8302e72076794addee6425455497a30c7ad60e04496ed5c8a3eb052d590dbe3ab58b046d475643911ad7072443b189dcbb57ce0d84a7dce347e658e4d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5c881e179d76a7ca829c3ace76204a27

SHA1
2035f0a1fd4ca3c60f967cdf9ac9e422ccdc4937

SHA256
bd5c8841800fde10ea346ed38ee1062a367f4702157a4ef04f4b4137b11a669f

SHA512
28c429c90d123306016d7681d64e072f11b256d72dcf20063a83c4cf2afd07583c3b2f7dff6a1f721671c6eb64330f6a7acbce5f0c3856246952cc2050a6a27b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
fe52b99fd51dba6c4697c624af55aaf0

SHA1
7b36714de85cd5effc8833ead326dfa2edd689b0

SHA256
851bbce9666d05d60a48ca1adb4c806673371b1f4500bf9dc2b403d7065a433e

SHA512
965c448620674f909f1b78e66b219038ba6a965d08d8a88bb948f522bbd14b5eda67496f31081a20594e3107fe09bd56084b935669b0d72b435ad4e39b92ad0a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
34b26115a488c3ea168b88e6834aadbd

SHA1
77555c26a415b26265b79de1f121b83443f0725f

SHA256
e964cb161afde1b273e6776e768dad0b531e6fa7fec55c892fa934746a57231c

SHA512
93b5873bff71e31dcd9bdbbdceffdcd6284bede62556e2d0d0d5bb4cd32b1556472f381b5822d2a7a9dbde906983d51c794382a4e1f703f796f1abde90f90890

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
4d2c058427ca2b6e52ab85b097ca658b

SHA1
9016b915f5c62af7611c3d9e46896553d42e1add

SHA256
46d9b2720770b3ec0aae0e9293f88541c01a1ccc7f0015d3fe72dc6d92f9542f

SHA512
ffeec945801ea73ffa572b269e47a371f7c7c03d47460e412bb9a9e8b93fe63f0a20d4d2366f9ae68e8d2fc260ffeb0d7de3b8fafc2e1dd6b418cd28713bd889

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
5fc732edea239d68935db0b3966fe5bd

SHA1
a829ffe7e19fb7fe42384b8a67c84e2c98ed2468

SHA256
94d35ad27a4a3787e9c98d324270dc4a1248348d0731a3e19e60cae2eb112006

SHA512
559cbec674182840537f6df9efa80bf1f2b42c990c516c64049ad29306bebc611fc913cef5b1bf1eb07ee542de84d8d8c6853bde0d354ca978963282e25ce07c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
1b97ea4ac4cd9813ed0c3809cd114da4

SHA1
4eb24d3062d09e390385d182fddc309d827dca28

SHA256
c8d88d85a4c92967c65143b81b5f3eb07ed22fe6108f2d0692308ad9f98256b0

SHA512
2e90b46c05530f982e159d896b0714aee731e1fc97d9a0a197a77c3985ec5d119026c8554705d90a91a64c7e9699c4ffc986536f62a098f8a08bcf74607d55b0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d05ac0a83b40b7417e22b0dd235a927c

SHA1
079b24ada652e9bf69040de09bd44956b4962062

SHA256
3ce6f6600d96d65ac81043b357a8e75ef6fc534df940ddc99adf44509b98a941

SHA512
f7a3d65752eaaa385726911fe1e11246c702d02f14aa528d1349a5731533f8f3f78f678b20dd8cd1552413d54766f5fd5a41f12e52bfdcd8391d3efa3ce82f29

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8c09b9b3459fb21e194ab38a8d353ec0

SHA1
5e781918826af07a9bc82d92cb61b51b15dbca19

SHA256
feb306e8a0bb011e6184b4f2efca9de92e5968dae125130decb4c626d52af589

SHA512
ca9f532c9e5f12521786fb1a1f963590fa4dd0d90d5f8d90a3559635d668f544037fdc18765cfa062502e2adcb00ec99fca54c6b89878fb2bf9d5b3372563469

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
abd3f10a1ad705e469f3fd9ed1f2b8a2

SHA1
dc6089b7bb3931c4a74244552d10ece831fb1ffd

SHA256
9a764cf1411387c723e4e104c7fce8b452349f4224b739837a540cd55c6b1968

SHA512
05a5e1bafecbb0481e4fb8981c09087951246849d32f36b48f74a48bb8931395eee3b09bf1e248bbc2df528473fc8ce7979455856834c79ad535144c16872b56

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c3c4294de213c8f0f5a4393e5edc84af

SHA1
31d00257693c771028c091182645aac0a4e8b0c4

SHA256
fd1288474acaf5acce735e15587de0807403b2eb67e63b2909af36440c13ff8a

SHA512
3aced6b2bf2d5e8a84da9df6f7b739615d612b20ace8910e08b588805d0a7dd75b60aee0b67f2887f2d2ceeee8d24e06756b1f7b5d585987dc49f6417db227ef

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ed2a746e41cf8c30919ba8c1f1873d05

SHA1
7e2eeb4f04ef249d0a71e2d284a8006ce2b73baa

SHA256
c5d3ecc4905a6bed2856fd71783c602665f1b0dee86785e42dbab0ac21bb48de

SHA512
cd850b2467ed233c1b344cd940e289c16bcefca2db63ccebae6fb436667a8a0f4449df23ea0226e5a80a26c8a0ecb9568a746897fa62d024a9011a5bebf1492e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e248aee6158ecb52c2760b035088253f

SHA1
aae081b65560ffaff0151e2a1cf9a0460e74ce97

SHA256
febde27ddbf5ea3619ad3a64d897f100e3efe0798b49c7982d66916af5f8826f

SHA512
dc592daf37e7621084e29a2cbfad66cce1d52ac96cbbeba808737bf0c9011f16c6bc0e65d185f5fb612faf8b124694c89f8246b6173ef03d4cd4240230e274c9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
ccfa2256351bdbcedacb8c6f8e8596ea

SHA1
16e6f3621f3981e469ce2284b9866738c6baffd0

SHA256
ff2315f44197d3c14e3ccdfaccc7095eb9031c0df8fe24711620802beea43852

SHA512
3ff2c662ff96203912e9d597af2c915e75906c87ce5d630e6e806ff186c68f15c6d2b8e469e7be03f9b6e441cea87c7d675a32ac9facad4046fc05038b9c410d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
173e7377a1b6d6a9dfcdb2730992a394

SHA1
5f73b959403d4b0a7055ef8d1d14c083169b5142

SHA256
b40937a9f7f43e5ad0aefc5d1d3f5587775815fe6f3f8804d07e68830a618f5b

SHA512
9498639a93f2fac6ead638bf6a33b9d23099f3bd3fb2bfb684bdea45bebd766ba9918950e1a53950f2303f2ccda9858bf327fa1f62b04a3a1d937ebfdaee0c93

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
693b0e67871eec35354bb0d4f183a406

SHA1
79e6fd4fb42f26000d2dda55d159fcfdafa2885e

SHA256
86a6fb363206f5655316806ba752756907757446f621f1f7781bdbd0bc1fe200

SHA512
13a31ed76d26916a9e5fba0f7df37b7d15c71c77b8400903d946dcdc3606a5c7ec9de505cb0fe4e32d8c8690d280c7f6aeff74e0c295250e8b2328cbf41b0e20

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
f00247c808179107e2ccaf86e2bb06d6

SHA1
03e9fee6bb622cf20c0574f31eea85af395ab4d6

SHA256
3c7aca6eecb5806be3750a49be3820e1ca9171c6984d662f2df3eefa8f744d0a

SHA512
c9ba2c12a923c5382781e0a7d67a94b1bb044efeac6511d544c30237ee28c5f319328b1f40b7e1f8dda4194e56c4617acc0c6d0b1e82304eb477e8bbdf9a6e85

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
593d281149e5cf6d238aa9c4738812ec

SHA1
d4b9d87b24742ea19f6f00a8a93f4de1aa0b9a11

SHA256
ecaf214fc2eb88f4b80e15f01522c9c6b8129b8b4276adc804acd635e25061c0

SHA512
1e2b63ac058d57922bc6f91f8e3d25057fe986e3ce0b0562f2b2f39e2ca439fb5d63233899a25ac72d766208c3f695302e0cff8ab4994208c421dfbb82811798

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
22a8a5cc08231cacb08b6ffe4798fcae

SHA1
6bc84eaecf6dab1cc148255bce14a6f15370a48b

SHA256
40dc05ae540fc4fac8a4000f827379351273062ba5e8262339ce03a77d8c0c59

SHA512
05ec5de09a090dbad7a1b410d76e1c64a245a46bce8df14a0641f1cdd9ec74a22ec06380b3b0788eac4859f847fa9bf57382c0c5586a49ec7c870501695f8d81

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b8f8684a98d9df7da1e1de46e5f6d40f

SHA1
c61bfd3fee7993269a4af7ea028062054587f249

SHA256
5fd45e45aa9ecd9bfbc330f8e95cd5f397a9de1f4dbca28af658c51ba478c7a3

SHA512
c5b5634400bca32e3c0368d53ba5808881a79209afeec5c59c0d1b197ef5972108fdcb0dbb93bd8092389fc528a88ce3e5a745edc29613e9b3f07abb350d7758

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3809f4cc3019a0b88f5326a01165987e

SHA1
be090a01e5ca5bf92996cc28250d473410c58d88

SHA256
3c131df91241c2a583bcf6cb5f9461dcc5fc4e3fe2afb49cc235398f13e52f7f

SHA512
b44b86a3eee10a50f7a043f6b460991bda549fd42e0270fbddc845f12c3f6d9c84eea6d95f61d0f5b37bd5a0eb0f4d67fb1f7602003bda57b0d02297befbab33

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
64233180cccc7302ee56fb78db406113

SHA1
9dc150d53cb1134b7cac76768e529a21a033e31d

SHA256
eed0b83fc9432981f228660de441383d46d3b54cf8151645d1a992bec63dc702

SHA512
a7026e294a6b208978f88b7ae5280f95e13626b95d3e3f5c27184a67beb5fa42ce52ba0cc4dbbd7f0610998d25cde6032c011ce62cf1fc56f162047253cfdc7d

Download Submit
memory/860-685-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/860-306-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/876-20-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/876-11-0x0000000140000000-0x00000001404AE000-memory.dmp

Filesize
4.7MB

Download
memory/876-12-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/876-147-0x0000000140000000-0x00000001404AE000-memory.dmp

Filesize
4.7MB

Download
memory/1004-616-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1004-290-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1424-50-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1424-52-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1424-44-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1524-170-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1524-34-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1524-23-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1524-27-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1960-444-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1960-193-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1960-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2084-219-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2084-500-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2848-148-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2928-636-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2928-294-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3188-58-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3188-63-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3188-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3188-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3188-78-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3720-37-0x0000000140000000-0x00000001404AE000-memory.dmp

Filesize
4.7MB

Download
memory/3720-0-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/3720-6-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/3720-10-0x0000000140000000-0x00000001404AE000-memory.dmp

Filesize
4.7MB

Download
memory/3952-583-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3952-255-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3996-305-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3996-172-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4000-121-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4000-116-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4000-107-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/4080-231-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4080-551-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4636-158-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4636-293-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4676-126-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4676-266-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4744-74-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4744-68-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4744-76-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4744-125-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4936-243-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4936-91-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4936-97-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4936-99-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4992-278-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4992-275-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5024-182-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5024-323-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5088-252-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5088-567-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5264-718-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5264-326-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5456-719-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5456-346-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download