be867aa3c19c3e878f35806f890cec13ed50575e4ff0bc2ae86485a5754e2641

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
Size

5.5MB
MD5

a3362f848186747b82f8a3d39d88cd09
SHA1

0a441e31f4aa8ef84623325d170bde31351dde45
SHA256

be867aa3c19c3e878f35806f890cec13ed50575e4ff0bc2ae86485a5754e2641
SHA512

f802659a64c51bf16e575b5ad2dc1f9d1ab0f239ad0b0818d598db5776866acef2671169c991c6226de1d03a02f2f6a074cde2077c3df9af1c1d141b471daf61
SSDEEP

49152:MEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Gn9tJEUxDG0BYYrLA50IHLGfX:6AI5pAdVQn9tbnR1VgBVm1fFPfUNF

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2136	alg.exe
1300	DiagnosticsHub.StandardCollector.Service.exe
1164	fxssvc.exe
4920	elevation_service.exe
4024	elevation_service.exe
1120	maintenanceservice.exe
4432	msdtc.exe
3560	OSE.EXE
3264	PerceptionSimulationService.exe
2360	perfhost.exe
540	locator.exe
3564	SensorDataService.exe
5152	snmptrap.exe
5292	spectrum.exe
5448	ssh-agent.exe
5608	TieringEngineService.exe
5724	AgentService.exe
5880	vds.exe
5964	vssvc.exe
6100	wbengine.exe
5328	WmiApSrv.exe
5516	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\19e502411299d6a7.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133577368044955304"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002234ada0e88fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e73a59ee88fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7a400a1e88fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036d6019de88fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002efd54a0e88fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6fa089de88fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009558f2a0e88fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e03dd49fe88fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e278299ee88fda01	SearchProtocolHost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrome.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1516	chrome.exe
1516	chrome.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
2772	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
5476	chrome.exe
5476	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	212	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeAuditPrivilege	1164	fxssvc.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeRestorePrivilege	5608	TieringEngineService.exe
Token: SeManageVolumePrivilege	5608	TieringEngineService.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5724	AgentService.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeBackupPrivilege	5964	vssvc.exe
Token: SeRestorePrivilege	5964	vssvc.exe
Token: SeAuditPrivilege	5964	vssvc.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeBackupPrivilege	6100	wbengine.exe
Token: SeRestorePrivilege	6100	wbengine.exe
Token: SeSecurityPrivilege	6100	wbengine.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: 33	5516	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeShutdownPrivilege	1516	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
4804	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 2772	212	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe	84
PID 212 wrote to memory of 2772	212	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe	84
PID 212 wrote to memory of 1516	212	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe	87
PID 212 wrote to memory of 1516	212	2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe	87
PID 1516 wrote to memory of 5040	1516	chrome.exe	88
PID 1516 wrote to memory of 5040	1516	chrome.exe	88
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4864	1516	chrome.exe	91
PID 1516 wrote to memory of 4880	1516	chrome.exe	92
PID 1516 wrote to memory of 4880	1516	chrome.exe	92
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93
PID 1516 wrote to memory of 1600	1516	chrome.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin\AppData\Local\Temp\2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-16_a3362f848186747b82f8a3d39d88cd09_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d8,0x2e4,0x2e0,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0e62ab58,0x7ffb0e62ab68,0x7ffb0e62ab78
    3⤵
    PID:5040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1916,i,1653637878076456545,10247409741621900292,131072 /prefetch:2
    3⤵
    PID:4864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1916,i,1653637878076456545,10247409741621900292,131072 /prefetch:8
    3⤵
    PID:4880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1916,i,1653637878076456545,10247409741621900292,131072 /prefetch:8
    3⤵
    PID:1600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2220 --field-trial-handle=1916,i,1653637878076456545,10247409741621900292,131072 /prefetch:1
    3⤵
    PID:3192
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2164 --field-trial-handle=1916,i,1653637878076456545,10247409741621900292,131072 /prefetch:1
    3⤵
    PID:1684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4388 --field-trial-handle=1916,i,1653637878076456545,10247409741621900292,131072 /prefetch:1
    3⤵
    PID:1340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4264 --field-trial-handle=1916,i,1653637878076456545,10247409741621900292,131072 /prefetch:8
    3⤵
    PID:2292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4552 --field-trial-handle=1916,i,1653637878076456545,10247409741621900292,131072 /prefetch:8
    3⤵
    PID:3184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4840 --field-trial-handle=1916,i,1653637878076456545,10247409741621900292,131072 /prefetch:8
    3⤵
    PID:1916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4256 --field-trial-handle=1916,i,1653637878076456545,10247409741621900292,131072 /prefetch:8
    3⤵
    PID:4976
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:2404
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6e581ae48,0x7ff6e581ae58,0x7ff6e581ae68
      4⤵
      PID:4780
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:4804
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6e581ae48,0x7ff6e581ae58,0x7ff6e581ae68
        5⤵
        
        PID:4384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1916,i,1653637878076456545,10247409741621900292,131072 /prefetch:8
    3⤵
    PID:1064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1436 --field-trial-handle=1916,i,1653637878076456545,10247409741621900292,131072 /prefetch:8
    3⤵
    - Modifies registry class
    PID:4480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2436 --field-trial-handle=1916,i,1653637878076456545,10247409741621900292,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5476

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2136

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4516

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2852

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4024

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1120

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4432

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3560

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3264

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2360

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:540

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3564

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5152

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5292

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5484

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5608

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5724

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5964

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6100

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5328

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5516
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5840
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
70c78dbf2fe9c59458fd2510254c1d64

SHA1
3c2465a3e0403b7ebc588452a888a6fa5ce0d216

SHA256
6ab5f153ea326ce6f50e836befb703f1e7c7b282967989b1a55800617791e53d

SHA512
f2e3fcb8c7f99a69f9726baaf7929b45d519d6944cf82600e25d98e8460cb03768cf38661a8a98db4888f88c9d8790a82f2404c27c76048da0e4ce1ab0530d53

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
dc4fad7d321534ff586c914b0e69545b

SHA1
56a2eccbe322e5a9f4564f706a8cafa85b044875

SHA256
a5839220c56a1389499858085d7d0f88ab6f5cc50f9907f72613272197f1cc70

SHA512
1a3b0f2203066cdcf9912da94d3a2df2d38a01459437fcd49e6df4e1e140e9c30cefb07ce5b86c7b67e56da2c565377356701ced103391efa467c6f6f792e12a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d92f3818bc3100908d9936d1ef5dc589

SHA1
b8e70f51269c1325bdd6171240876a6abacc2347

SHA256
d1f88a90d3460d2ab78858d598f51e0ebc647ad894d8102b035b07d9b201f6bd

SHA512
1335f9bf81bdb932fec0b33447cb9c9a76d822ddb06dd52edea5f8a66ccf9365fcb400ddd188f3631f1d33671fa5ac00b04e532daf3cbea47ca30fbc53ef64bd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0d0872ace03b8925c8dd4555a1640b32

SHA1
94fea71b48a1b3d0c95c6277492900e2a959399f

SHA256
d022ba7dfe643de0283b6554b61e88535a4cd5dc4d334e7eacfcfc08c7c2f442

SHA512
2be10a915eba48fcbc99fe1ab18ede30f260fc572b95e3bef7a8b775861a03e8f5dc25d2d513c2618f96e22b9ca795cdb09edeedbc35bea737b530d00eb1429e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ffd735c8705851913e58d11b768e65d4

SHA1
12f0bd69812395f0c94047d40e8fb1b92737f75d

SHA256
0325086f0f3b21ba762bbaff388785f362ae5c5fee9329cd5ba5301db3238772

SHA512
3a0de83b658c7c563a406ea297143353d6bab58a60fb5210aa1c35e731f13cd0f709f8a3cfaeae74186f6ace6868c1dd71d7139c954aa1dabb63aa7a0ca3e0a0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4e53f4fa43c5918a43a3110882501a9e

SHA1
f578f699697bab7192974420d83783c65cb3f7b3

SHA256
a68a6ce92c0c3cc7fd1c9946c2457c1d42498c127149c25bd88dc8fc4cf91234

SHA512
302ca95d28c97699b68a7811f7322b30964f27e2e39487c1f0cf02c713270b18aab2f6895e8660bf8890fb4267c449166d297e060b7e999c8fe9cfb770ff4c57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5abd4d7d7dc24d82709f5b1c4e968cf4

SHA1
156159f6f7e1ffa9487dcada2e72bd097c157667

SHA256
817c5dbb6fdb355d67ee9c37e7d8707fc160556899b695b811a6256f1d581014

SHA512
ecea5f13a47eb9c494dd913ae812226477583c3ab7c4aede54d4f7fbe1dbd9805aa27ca8d888c7cfcf313f88ecc9f593a570627ba6154f5f09147b307d10f2c0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7f7c82d501ca7f926045727f0dd0f60c

SHA1
c932956afb518440216556fb2b92227c1981e64a

SHA256
649e8e4a5a88174d96add6ad35e18152af524dc29118c391a15316f52eb64394

SHA512
2026732da0dc9d5d9ad9f0f55bac3ee01b7d9cf4e3739c49a1d2871a726a6e777be2cb125ded175d573a1a5e6890ca2cb0ef82bf3599042142227204ad9c210b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
dbd3efbe735ced559c37dd09a68c9cf8

SHA1
81fee23302625efc84e5c0e1d1aaced73bbb723e

SHA256
7d678b4a336550aa6d62e4013db60390f111c045a75e0781202c9252c35fc7fb

SHA512
781081f8d760a7d00951cca5346768ce2d78062e53a0d93214720f1fa38b0c28642e94f383afd7412daa299a9562d505199e0752fd88e85e3c9832d52210c4b4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b480d4e01de10fdb1bf68f3fe512eb56

SHA1
6365e16ca5a902fa52525f70fbb21bf2c31255b7

SHA256
765b255e79243443655f34fe71f40f7fabd39295d7e756ae3a375f94bc54d2e4

SHA512
9c0f4830162a9fe782c7e822dee9509410d4d8611ac52b705dd5ac015069fe2cbfe2cab56ee65b614e1ac655f22c516604e8db087b116a924217c2384a0ad890

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
79580e78f7ef4d7ab98a03a5f834276a

SHA1
e053cdfbf9b791380b19b2fac4b7b3fe1fa36c36

SHA256
7691e02f129257c3af0c8b3fab68ca2d083d2a6986f12c850c0fb6e18567b0e4

SHA512
7b1153004cae57f7eb47ab1cbec7225ddf719b0e8c3c45d3fc34dec99748a35010f7b137f9a467a9137d5a8841487977d4748be5d28874833abd32b348afc40e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
68ede0503614df7b411763a7d07d2119

SHA1
9d365982210494b2ee7a0de1d97201ad3beb34f4

SHA256
066f2b6f2df9b1729d48597a4c1c010233670ed5d60a23715d8d02011480a591

SHA512
0c8c710493ad4023ac4d63a7c9ead1a3a4a7c2e3701fa2e0f623679798af29d4668dadeff4f6daa16fa3a677265979d6be710593b9b8702d9a156b90986f0fdf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e9d1d901bb4e5bd35329ed59377ba258

SHA1
eac1ec1f5d07c0c4986097dad8ea006cf25baf65

SHA256
dc35dc9c052a5f9bb8147d1425b2864972f325a3120c31ade1a6cc35279b47d8

SHA512
db9bc22bbe2d456d98b58b8f421e6e4836b5405b701656001d95b2a86a800d5f519607a504a022bea46a4121435bde43650c495a3293d99f786baa95882c02a5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
0813751f86b26fa7d3837fad91494aa2

SHA1
1c76dc693872d822bb228876f1a90b19fea49b3b

SHA256
8485f0edbd88334de12f7d7f08005a7ef1b2637169a563e44488339c23f71c31

SHA512
03c3f4f3f4fc7867eae6a24a897a54abc942f7415dccb58795b4a6ad012731340515c1c12e9157e3ced9b784b29a9b62b13f5a15d11048ee6cf09b87a8ed9499

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ccf0d2aafc8a5bf6f19aaa0f4424e42d

SHA1
a4e9d831c1de1a2e926201ae2ff2ca8ba4bebc03

SHA256
9d3ff15f6d671c443da4ccc43f13f6e8c82699823042b8fa79371a0f23d16bfb

SHA512
5e9d92c4bc04caf4200c4cf35540aea72ab9a5ff5629f9d87332d2c0f91f1755751227734eb21d32f4eb2279e80f34f4e5bac9970592676fe707a9f8a93058b5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9c06e45b2438e1031c15123b03207b78

SHA1
001883daa6a92fc6fdeb89d1f8b89e37183f784d

SHA256
c30dc675e5c4e90ce728513e60cc48909e352cf901004e85cef8e099594e72ab

SHA512
08aa86cdb06aa4fd435b4877abfaefd89d0bffcc93294b6a403403110524c2255dc31f34a5bf752e3151ab86ad2bd6dbc00db7ad4f1419f0f56946891b906149

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\eb7dfa6d-25ba-4bc4-8187-c43bcbcd9abc.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Mozilla Firefox\firefox.exe

Filesize
1.2MB

MD5
f393cfc855a3c2ee9cf5c9f03eed4867

SHA1
adbd300ef457c31d80a146f60607d90a0c338135

SHA256
0d5ede4fab91c425ba3d0eb97cd8308db98a4aaf54e5399f7e2df72303a8cdb3

SHA512
923b2769aa0530ec1c12903ba8942da240559b8c51fe1511a71c07d3c037d4e407af0a0aa51a920f993055d3f4b627dc75bf3eef8f8068ae54af65217e84aa03

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c07c77314b39cd8d6aeaa37b90d0ce45

SHA1
c3fd488d689e7bf0bb12c05e69c5a20ac3b88e4a

SHA256
5cf48bf0d26c66c659f8973f41ec49f57ce49833162fe39ddab12209bef60e5f

SHA512
5cd0ab752df63d173ec4c107a8c1797c4803dcbed86c0c9e091caf05e24a3cf326a2bac3d9c290df5da114283dbc3e3987b8bda9747ce9b7669b936a4cf22ddd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
f3cb9e10403dea7c3735543184cafa24

SHA1
c67628bd2fda9a9188e1703302ad14a3d2e11753

SHA256
1b488697110b57506c877c75d0e62b2a1926d392ecd0f4b62ee20900fffb4863

SHA512
14c479c83e9d633c542570d78876c662acacc9273211884f99914d870f2fa5d88cc74a53771ff69e3460d812d14acd8732a69ead5805d92d3a31a4576e6157e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
b7a2e10b9e444e3d57f4d952276df8fd

SHA1
b70a45b53a0088b3277bd857be9b0d4f3212dc91

SHA256
2b3b7b9bffd2ab981bd8e97eb01d5ccb2a82a478cfad815d16cb71aaee1034b0

SHA512
620706d6a42c61a5d1e80ee261b11aab87b59cf2dd8d9644e5d611e60884eaf8a7f77b1d9c3c1fae4163d46736569b4d9e50363e4f7c21b1733422099cb563af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a1bf1361f827bb945f5d328659022184

SHA1
ee42fc1739b438b937d0d00898eca9b0d032b367

SHA256
14cb2d4f14afe7264ba5d1b40c6b303f1cb7ffa15961aef9e774b51f0e8f5bd4

SHA512
90ea5d1fddad6b0dc2d16490339b569c0e5a5da4154bf537a34f112397343c276e1efa94ede866e50f349fff92c7cbbcd83935237b0a026bf2d38cf39dd19e05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
81bee8e9d94c5016d6770b108118e53a

SHA1
05ce9a1d410d776ad1f2693becd09d9d69af2ee1

SHA256
3dc9996319b26f7b9a1f994f969d8b84150a513d6922adb11f21ce0686345e01

SHA512
8a0ac48479ec9ec6c955f3477d86298c5f2722ef533d61479f3fae664f20fc48ab1eee52f1a1914e7b0aec04340e0232ca6efc885d1041e7adcdbabf41590d1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b70e8cf65d90e25865ad07cf8a08a359

SHA1
e144532b05be4b3bb4975735450676331142d083

SHA256
6511ac6c81b2678c78f44af00dd07b78e4c74f10d4bf4ee5032e6687a1938f46

SHA512
385a3e9fc028892a78ab26669817be47dab2173707419c96ae79d92340fe13add96915c3ef71c0443c866e61c8a1a86b5760ba55e8a0ee33ffd0e8b42322bdf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578cfe.TMP

Filesize
2KB

MD5
800cddb19ebdcf531c6a5114c09f23f2

SHA1
804a092ca98c5d23daa511bc81fbd57c0d1ab79b

SHA256
f2112fe1a92da135374352df0dc9addee81f5301db0d5a35c679cdc2462e717c

SHA512
2de47b1ae89b9977aaa0e87e2ddb82cbbba8907f46400a50e7bdefffe7f2c1492ca735206872684da5e85af72b1e3d3e3cb2189f972c6a1dc9b8f2763c3cb658

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
019c476863c1f53e1a145dd0b6dcddfe

SHA1
c52f292aa2c308c72f87583604243c39eddd39d4

SHA256
75f18e4a8458faccc11e70fc23fe6e0514bf9af0ee6616b63f8b4b34aab5fb92

SHA512
ed985d789a83c9280e3aea306da4db7437fbc7d68571b70ff068da84d82def32450b995efcf93ba9c063c22ea8c9f5b1a7ce8509ea9b8d7609e71c063eb407e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
250KB

MD5
95c2c31ca62da1b846826d6010768556

SHA1
01743004c56aa1b3386f964711ce5a9bdc9d350f

SHA256
3dec1ddfc9902ceaab770067364ead213c7697606177c87aa44aef9b93fbb239

SHA512
21acba512881196daaecaf0c1dee1ee6ecc3dda8e767dd961e9a9801541f027837942794181abc319d7a3551bf94c739a04e8a41d16ddd3ccba168a1efe92e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
72e5240ce501e81d9bde92ada9252982

SHA1
335a324b5f45f9c01d137dd936e5f4bb4704cfe8

SHA256
79f6109144d04ae3894a31ee8d625a3942037dda501f519bec4d6bbf49c916a8

SHA512
87d00b656aa8ae2d9c2bd11bc92ba9e680208c9d16a316dc784d07821cb1ff3aab25ccdc9c5cf107fef1927bdaa496d1974d1f0842d73166670360b2b97de1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
2a0a7cae01dcbc4d069376d25f197093

SHA1
1f0a1aee61f819f3027158c7b384070ee604d0be

SHA256
f81c33273815e6ae44d8b2dd69faee3dfc5f6e1432f77f35a699d23f54c5a3e6

SHA512
78952c50377809a975111207f68b7554107bf97060aa57c3e65d5c75f91f4b5796ed987bf90fa6c76600f5b94276966e63cf6f49e048c5a5ec4d1bf94fe77698

Download Submit
C:\Users\Admin\AppData\Roaming\19e502411299d6a7.bin

Filesize
12KB

MD5
f0b03a39ac32d64afcb0a75f94bbe269

SHA1
98881aa1b3c6490cfcdf16302889b3079d89601a

SHA256
bf8d26da1728938c9af83925e6e9164ddd1308ab71fcdff6e59ce2bce3b6ec3f

SHA512
d3c244523e531fc7ad360e40bb9ee1ef9b347e48b95fdecb441d53a1842f462538d78f8c4ded89323cc9481bea9ce50b88c84cd685f6e0504faadc62e19815c8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4a4c35f29cb208cd65125b7ce3f673b2

SHA1
b86e5c6644152d2d253d07213d691e049621f7d5

SHA256
4332fcf36a39edeaf5c3f2a81daabd5d323d4f8ac845fb329607af5f155136ed

SHA512
217662d22bbb726ed11ffd313af25ecea0dd2b0c5c6b166988d8f9e0eceb0299c7c82de7bb3b788c9ec796c7adf799189cbd7c8f5b50865bdaf960a654c54d27

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
51b098863c949b481f0da30497f68506

SHA1
583544f4321c43334943a9381b1059c224baf477

SHA256
5a92688a101920edccd18c23f34f37fbb60248415abe4a547a463332a776a239

SHA512
4a526f9b45418b51525f6a4a3a71825a15583a95ad8ff2bb8827c2b862c934b78eaa2445577e197a8795cd5b48365ced4d1212de97368cc30979ab4df618a855

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
3639e52e6741f35cc945d4e993d5f74f

SHA1
b5fb550d9b8b348ae677c82c8abe94c3dd8f5e0b

SHA256
0bfa75acb6861902907d1ab1d5af47764e5787b000b3697df8e72171d9fa3c46

SHA512
c6d054034ea88c37ec5533a9d38f8eae0cd19ee23f9205da570b3ace83e9e9bf332adf19d24da5734a336562f2f760f15e54fc4dc6e942cea36e9d588ecb0197

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a963b5a85456fe00c06ddb11c53b09b5

SHA1
258f718da36f7c42351d23df2b22a767a3303a19

SHA256
aebd3363f580f1010492bf69e181ca7259dfc3c8c060afd5945e3c8e5e970be0

SHA512
e64673ff0622e4b5b650d20f72b3e98d7e0f574b761f0e16d8d9429123c056c1a881d6e71de46e414e5b6848b0a1b161f6922aecf8ecf4beea123ee6fee21423

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
7e6048ba08ba05af3e74e174c5fbfc67

SHA1
898870a4e00927bf89d54751927467a0a896947c

SHA256
18fc2157e495eaef613eb6b514837a35dee05b992e7b3ac123042d55b007b582

SHA512
2a220f6a98023476abd0303cf029142af97b83bc4729f6538772a2c0568745e8b54a0010809849bf274dc387b9dfcbb9ac8bbd1b963e4c82abe808fd9e185c32

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d64f25e243ce110f115221516fe80d38

SHA1
6b51d921b121ed4e4c5ea335254ac0b78317ebb6

SHA256
05a23e58a205b784ec4dd0aae5b1de8a77a5722087c3c81ebafbe6e6f158871e

SHA512
ce5fce801d940ccb760372eeabec545f830ac6de95358c51ef8b88eaa4bbc6e9d0b5ac8b20e0e81271046901d0805c1589ed542239415d3d9889ea8718c3ed36

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6240d111c49a0545f8eeee7ad4e34938

SHA1
9b733c236b04173ba9e35b60676793382b7df8df

SHA256
59fe767fe307ee622ca3f452637da44da2e76cf647ab7b6538b43701288c603a

SHA512
48f89d6779ffa9cabbca7bb2e996efa9deb49ef27d5b8bba20a411510968fad2c72c55b035f02c7071af43255feb688113727a461038162fb867a408dc992ca1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8effa516a0a473b16c5694b5c8a8240e

SHA1
f7376a88b20a33301bf39294264333f4e7ce1cba

SHA256
07e1b6a375c79ece90acb8118f0dad45e91cc4628594630e1cd886680e748449

SHA512
48b94e0bf9b719c13769872d6629f5df929f68855f90f6a514dd19eef6af2c7e914afbde564c6bdcb1bf04ede1e30ad565abef278146004fc36ace77d03232d7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
785027bdd4b14008e31287b0b4836beb

SHA1
65488245f4c25c8e95b6834f530fb2e0231705d4

SHA256
f2195bb794356d7fdda4835c7a10f420e9b26463729796f70db779f471252be6

SHA512
77eb3fa406d2657a058dc26396c17900e333eef0e82b6d58d92e413b097af06bf465458e4346191dc8986490b42219a5987de2771df9d2c148cbe9a3520bb197

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0f83eb08b6156ad8053945b7fc7b03ca

SHA1
2d851091f7040d0afba9824af414674c93d14f33

SHA256
26903e1d9f26f2dbd6da0def00457a31241c10b4b3b32cdb01e2e2517cd4d79c

SHA512
0748ec0a8d33e892f557d68f9761a264c7393527542743c7f88936063af90cf4cb2cbcbefe460c1f9eb42d8bded8a9f4ac5d073401f2daec94c302eb8f035f5c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
d933e22b19483e0bc9f7d48a388715b6

SHA1
9602517d91246a3c9740aba2ca300ce5187b45fb

SHA256
d808620b23e2958b213b2d765185da1c89298c88b5009340b2cfe2fd13a8865d

SHA512
3e74adff992b8b5e178486177d17508541930717f2d1c16d081599a4e264cca3c118dc74f2c68de43eed73d8b97b9577e5e16044c399ec01ec0ad099c0f36e69

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2176c9c6c0a711ef838a7e9e0d88bd80

SHA1
70b86ae519ce6da5a9c32411fcbf7854e2e45db3

SHA256
737aaefe0ff6d4eb34cfefbbed42fd0139644d35a8678a00d4bae9e103c0a477

SHA512
31b4a6b39e1fdb10d93850026d92cd99b403f402ecc8402f3d86e5d45d98e071594797595a212627ef9b7439584a09ea270396620e3e6446beca63234e169983

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
bd8e7defb84d74d134e6bea8e49d281c

SHA1
1be41d0c6e6dfa11219963dc2f047713c6a0780a

SHA256
7a299403888b5f0d6ccfef4d3fcfdd60d2c3dd5520d71d8c4dd16365e5c8fa1c

SHA512
980b80dbedf5f5559d422b29421abf8ca916ab6d65399e74f5bd55d2f1d45334a0d924917671c9ac037a32ab18db396350fd6e647d895769bc4888ab6337bcfc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
4f0ceebe790384bdaa7108fa9118a0bc

SHA1
9399721ebe091bf00870a81ec289dc602dbb84eb

SHA256
73ad2cde097605b5125619c4fce9a290767e6c20012d064f4a46594f4fa3019a

SHA512
4cb3dfc04b2e99400128e22bf7376397fe5e9340294aaf9ebbe6d2ad8fcaac912a9704503c209572014f90d83dd26deeca5695a13394b6b3fb1f03571f7e3e65

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
92bf2ce6a8c2a5f68dee3dfeb2ec8219

SHA1
0715fd6d1d05569f7d3e383f98e6da9a83997e90

SHA256
879b6c4e8a5e7c03be43c608156a1a58b32a8148596b0fc72ed6776253a45e48

SHA512
c55872d7e215e94c30347bcb7a43e5eef50fa5019c58418380b6146d79033335b242e715e7b6f5757525292d27089b863d23eb5a171251be42e0e63ed57bd754

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e7a9d926be8d449c61dee47cad250c95

SHA1
c6df57cac3c78487c7c686a23c688d5f6cc4ecca

SHA256
1cd0edc072f103a6372948991d84b6cd617ee496cc4dcd3f3a1d4a5ed560da21

SHA512
18f0bae34f974fc43239dd2d3bc8c55eab8be25b09feb4dade73bc54e0dd73356a8fd6930c8384bd16d9f62f2c8a0fb26cfd74c215f62c4a275e5fa6beac1eb1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
cbe8c58af6ffeb345ef62a8e3471ccd6

SHA1
ae77926b8ba381e6ab39124555196bdc2bc79247

SHA256
1199afd345774f905c7bf53500c8987c982034e90c784a2419b9a97ebebe77c3

SHA512
fd014fbc6b13f2b4c97d35e47b7c0eb8e1bfe94f6644e7175fd15d093240a92873afc142dbcd07a9ca4cc6256d8df4d9e2829c6814b7c7e9976b67dcd5746d8b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ccdc1f54c5d9ce53dceef89f6646b752

SHA1
b0f60387ad6f8ffe564f1fb2b6f99ccecfb6c878

SHA256
c6bf2a11ed817478c77d8eb629f72493c4ca6ecb06c013124ab039d3a46778d9

SHA512
06d6759258e8750775ba5e3ea46d2df605eb2ff52456d732a31a503f7cf8a9b52ba37694ec8848a3e8484d2b9704bda9336d93da226482d4cd6b459ca0817711

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
4e02778185a5972d98c6833d2959de6f

SHA1
6534c1e6760952da5c11dde81efdf1daa707d17a

SHA256
a477f9f08138dc04e4f21a6b67908c4e698588c87225699be22fdc5ebd4e9bb8

SHA512
75779ed243dc1407b2229d075476efc51ace2c38b09248f5691d7723c7f5b889d7bebe3dc3850b235902f2b0dfdf7b299fd41d732ac692739f1ed9f4233f22c6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7cd7bd4302fd45c48200f6eab2b260b1

SHA1
f1202c6d8aa9b0661554b26680f49b48d103e3d2

SHA256
07836b4dd905253959fe6fa5c66da9ead15e6dd8c18339e58ddee43e4cff68df

SHA512
44acf33c56829843cebc68f99cc979cfb97eb15c657431a16d9dcae44f5ae2966ef36c32d211b3fdb47defa261c390eb39ef5b2d6b291ca0422274639f79359a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
8b639df66e9cf496aaf80c3b55befe38

SHA1
b16e18b3c6199d7148363f2ab7e51c32edab3036

SHA256
94869672d8f61ec76d25872d9822d32ce2f08034544e4b179db350a9b308e85a

SHA512
6067df30732cc63a52eb9529624e4669a2b0e9723b360c6106f5505d37ebb6094931da5dcd1669daf1ffbad376f6fd3b78ad311f6710b1d04a17e3ed6d7dce53

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
eb695e0b88023353a470db8a2ec7439d

SHA1
28b39aa3e7af4c0a4513149c349754632c5f61a4

SHA256
6cd50d0aafd65902495ea886e6c96aa421d9a814020d2b3a71e4175b378cf78f

SHA512
5b111972d6c189ef0e3a5db819a5e94db4d45a59b19cc60e200a3b7084ed7dba91507aa72f55bb8ab022e01d04188ba34fd210c0dc784c39b3b487e0cd34e03c

Download Submit
memory/212-31-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/212-8-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/212-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/212-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/212-0-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/540-223-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/540-231-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/540-292-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1120-137-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1120-130-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1120-143-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1120-144-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1120-129-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1164-74-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1164-80-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1164-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1164-90-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1164-73-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1300-47-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1300-46-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1300-156-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1300-55-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2136-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2136-18-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2136-33-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2136-116-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2360-219-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2360-286-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2772-102-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2772-12-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2772-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2772-24-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3264-277-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3264-272-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3264-208-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3264-213-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3560-258-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3560-262-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3560-189-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3560-176-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3564-245-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3564-235-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3564-304-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4024-101-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4024-104-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4024-218-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4024-114-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4432-243-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4432-166-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4432-158-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4920-95-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4920-97-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4920-85-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4920-84-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4920-205-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5152-250-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5152-259-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5152-336-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5292-348-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5292-273-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5292-264-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5328-381-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5448-366-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5448-288-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/5448-278-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5608-294-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5608-300-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/5608-379-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5724-305-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5724-328-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5724-332-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5724-333-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5880-345-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/5880-338-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5964-358-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5964-349-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6100-375-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/6100-368-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download