3bae982fd5436d2e0675d89cc2acd47ee93e27a0dbab46e2179bcc42061b80a5

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 18:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
Size

5.5MB
MD5

b153eb7d43b1a03ea86f004760b6a4a8
SHA1

f67d0757f506fa0f9cdf05d8e2fe3d6a82d5e875
SHA256

3bae982fd5436d2e0675d89cc2acd47ee93e27a0dbab46e2179bcc42061b80a5
SHA512

1dfb12840f78f1161a88f586a2f5dc25e6f65540e95e679b56bba4ffa0392aac963d9c401e1caec370631de33953afb31d05d9e8616516440d5f96c821223ac7
SSDEEP

49152:WEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfQ:sAI5pAdVJn9tbnR1VgBVmlqj2FAQL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1944	alg.exe
2068	DiagnosticsHub.StandardCollector.Service.exe
4192	fxssvc.exe
1784	elevation_service.exe
2216	elevation_service.exe
4772	maintenanceservice.exe
4212	msdtc.exe
1580	OSE.EXE
4836	PerceptionSimulationService.exe
2024	perfhost.exe
3176	locator.exe
4716	SensorDataService.exe
3516	snmptrap.exe
5216	spectrum.exe
5428	ssh-agent.exe
5660	TieringEngineService.exe
5828	AgentService.exe
6064	vds.exe
5268	vssvc.exe
5636	wbengine.exe
5964	WmiApSrv.exe
6032	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dd30f01774f8f84a.bin	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{01C6D80E-08BA-4005-BBC7-FA9D9019DC00}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaws.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e058bb2df290da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7bc9e2df290da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059f8992df290da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce56f92df290da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133578508707879628"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f71dc02df290da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3896	chrome.exe
3896	chrome.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
4352	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
5560	chrome.exe
5560	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4736	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
Token: SeAuditPrivilege	4192	fxssvc.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeRestorePrivilege	5660	TieringEngineService.exe
Token: SeManageVolumePrivilege	5660	TieringEngineService.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5828	AgentService.exe
Token: SeBackupPrivilege	5268	vssvc.exe
Token: SeRestorePrivilege	5268	vssvc.exe
Token: SeAuditPrivilege	5268	vssvc.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeBackupPrivilege	5636	wbengine.exe
Token: SeRestorePrivilege	5636	wbengine.exe
Token: SeSecurityPrivilege	5636	wbengine.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: 33	6032	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
5860	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 4352	4736	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe	87
PID 4736 wrote to memory of 4352	4736	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe	87
PID 4736 wrote to memory of 3896	4736	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe	89
PID 4736 wrote to memory of 3896	4736	2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe	89
PID 3896 wrote to memory of 3152	3896	chrome.exe	90
PID 3896 wrote to memory of 3152	3896	chrome.exe	90
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 4764	3896	chrome.exe	94
PID 3896 wrote to memory of 1452	3896	chrome.exe	95
PID 3896 wrote to memory of 1452	3896	chrome.exe	95
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96
PID 3896 wrote to memory of 860	3896	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Temp\2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-17_b153eb7d43b1a03ea86f004760b6a4a8_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff59d8ab58,0x7fff59d8ab68,0x7fff59d8ab78
    3⤵
    PID:3152
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1944,i,4841120543142070713,8707331614386457290,131072 /prefetch:2
    3⤵
    PID:4764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1944,i,4841120543142070713,8707331614386457290,131072 /prefetch:8
    3⤵
    PID:1452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1944,i,4841120543142070713,8707331614386457290,131072 /prefetch:8
    3⤵
    PID:860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1944,i,4841120543142070713,8707331614386457290,131072 /prefetch:1
    3⤵
    PID:1556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1944,i,4841120543142070713,8707331614386457290,131072 /prefetch:1
    3⤵
    PID:684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4264 --field-trial-handle=1944,i,4841120543142070713,8707331614386457290,131072 /prefetch:1
    3⤵
    PID:4540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4404 --field-trial-handle=1944,i,4841120543142070713,8707331614386457290,131072 /prefetch:8
    3⤵
    PID:4340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4100 --field-trial-handle=1944,i,4841120543142070713,8707331614386457290,131072 /prefetch:8
    3⤵
    PID:1392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1944,i,4841120543142070713,8707331614386457290,131072 /prefetch:8
    3⤵
    PID:1220
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1944,i,4841120543142070713,8707331614386457290,131072 /prefetch:8
    3⤵
    PID:1544
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5276
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6e847ae48,0x7ff6e847ae58,0x7ff6e847ae68
      4⤵
      PID:5812
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5860
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6e847ae48,0x7ff6e847ae58,0x7ff6e847ae68
        5⤵
        
        PID:5884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1944,i,4841120543142070713,8707331614386457290,131072 /prefetch:8
    3⤵
    PID:5496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1944,i,4841120543142070713,8707331614386457290,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5560

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1944

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4984

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1784

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2216

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4212

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1580

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2024

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4716

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3516

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5216

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5448

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5660

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5828

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5268

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5636

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5964

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6032
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5200
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8a495a730021fc9eddf173f3720431f9

SHA1
6203c146f7cbde67e5ceec54078a56c98c22f26e

SHA256
f594300c827090ecbd3df3d5f91a400e139c23a76515dee305d580a26bba3e63

SHA512
43180613efcddfde0d82c29e07e4852774f82cfb2eac61a635def736929f4fd844e08dcf84c7cc2ad7492d96b83e3f3dad7fc83a98aa5cd1b894440ef6e6440f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4a65e074f821809adad94e2b7092cce5

SHA1
162d30d13688ed10d9b0a6a19c4ad5fb2cf0f81a

SHA256
009eb63a99dea31195575a920c0e6885abb79f9c10ec82efbe3469cba32461f4

SHA512
12894e51f0fa1ecc65c41e441c7e4c362e4378106223961342f9f68adb4a1b1be77650bb98137f9b0e962695d2ead3466efe92184a3df1ffa2f26780277dc6cf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
a47b8aee8bb5cf763ded1ad98b4f7e8e

SHA1
668ed82087459478c82e934bc4c4f117de815f14

SHA256
3d9391f4acd8444aa4ee8f4c8da9883f99fcf20ab7688f81c53c8dd39606aace

SHA512
77f026efd47ff8ae661f56ac2dfa2301524a234d0149ea3f40d690a2f7f1c9a37ae79be2e801a854415b8ec2a9266e47c1ad0881d43fd89216c8aa44ec1a1fcf

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7fa922e3a24c1e1b9ac8d4b62780b0f5

SHA1
8e1b1af135475f64706ffd6ef06a2eac482b85b8

SHA256
56a2cd29033a528daae58e2dafc568e7e82bbcf1f0e5fd0c7a12fe99635aec39

SHA512
ef996cac9d8aa05726ab8625318dfead3d3a5462ca08f9abb6f764bc767446fdf5c6b0df7760520ae652761811fc2916fd11ff70216315ee1b9ae13ca8570d76

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
754a582a9fea757c20d819a077732195

SHA1
3d678c930a63e08610ec7aef1e29d684fa69e370

SHA256
86ec4cc0d56f867bb6cce5606041f9cfe8af39bda36cf115a8213212e4509781

SHA512
7004a3b0ca3a61a1680e4dd29988997768a7cf17fdc1c67600b6a7ab9ec67879f32aa0fc2f5e60f6a4b5f328c322544fca15cd5090f285f196c5134de898fac7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
31d10dc128e667e4fba3272a01a26d8a

SHA1
202442910713be80098b35bab394a5008da9ac19

SHA256
193570fdaf09f046c585d51e390f4a9f20dd4e05385a5de70cc20e3ffddf3207

SHA512
38fea038ffedab01df89232f92cd8d6b032af39385e9d988a58abcb27b801de163290fab5920ad66b1e68ad76e2efa36e8d1afd038c692de213865ab6e8cbaca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
f2b5eba31f991a3f34c979b048a887a7

SHA1
4e87ce8800b18d955ab620fbc21ee6871320a0ce

SHA256
9338f8e60a8952b76b2f5715a730c0033d21a9116976960db860078aad1b182f

SHA512
e257b5d26d96b8847fa7578f165935e107f022db2a90f1e34a9c2f047cd86cac6fd493db0072aa20058f745d071c56e0b7e8252f5a9aba150b75de925694620a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ce7be3187027fe4d45aee980514fea22

SHA1
1824325dc7d37f0ecbc3ce8e4f1846b789a19f75

SHA256
70a0a5e001ac18618124d0b85f7b22e53ce43fef15cf74c495dd178b506949a8

SHA512
714b1725f9575e15c1fe6835457aa05c80daf76bf66c74abd16b7c298e825bd5d30cb40160854096b2b8de657f0bb2cbb74831e78fd3da9c526e04d665b7cfa1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
31bb73f98a620990c044af37a860a187

SHA1
073d47dc3afee32089c5a1f28a855fdad3b92ba4

SHA256
7fcbec686361c3b4156486cf54d94d9691853162219b785db2b57b76349b9b22

SHA512
8b3249b3af1e22fddd7f8a61d6ec8df155a4f7efbf4a9cbc4212375d0e7e2a3aa9806da1e2fd369bc84181bfc89bb5166b7dae5e24810d154d5072e4ee1f3985

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
96e7507df220f52e4e6db65fe05e43bc

SHA1
15c49876c761ea607953b74856aa325276cc5c2d

SHA256
dcd428eaca07084b69b36723913dfc0e57f09f548729a57be8c5cb0bcdb5666c

SHA512
455bceef20d6db6410476eccc60bb3f945ed29c1ed12d487f95d7e93302cc7c2213615fac071c1b09df92ff58f61a18adc67c53b1bbddd0333f007977219bb17

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fa7370581ca9bd89de26da6870c94b60

SHA1
083209c1f0ca3a8f16c69929120acd73640f6062

SHA256
bab2dc1e8ca4a904e1569896f5a21f379cc909956706ae7c9fee376d4b3df047

SHA512
382a774abb337dbb6218d734cc2e33affec63c6a0aca94c5e038222f9b9853621d48eb00b665c071947b6c86748f8bfe95c0d5e76c977c90ec8bc528c6d6077d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c4f9c19408b526ec186fbc8b622dc4db

SHA1
aee925760626e3369ca881b306ab53eb112831f2

SHA256
8facb4d4233f946609fcfa258666571afd07c09aaf4b011c813202d81e335cd9

SHA512
29cecd0e2d65a199ba949e4b072b33d5b53f3cb51435a20866700d43962bd36c739f55c6d61cf267699a673c70a67618cac478b02fbcfe7d9a12ca9ef4649f8f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
bf1d5d8fc337f3f34051c17fd5fa6977

SHA1
30d0ad30a558cc2d621b1e943704c8afaa3ff4b7

SHA256
bf52a08f32acc10749e9b1c5dd4bc89830d569cabc59bd8be352c649623358f6

SHA512
da6f8ba6fc7417f633f5cddb8e7c6ddeb98588a62a9c24b3d47314d02e34f5b237b3d5ed2934c1fc97e5254f0e0f7fa239cb9f18b70bea28d2dd075e7d59d6ff

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
94eda2b61091d660bb470e00b91864c9

SHA1
3eadbb4e5c38e4d6ddbf2cf57790a0e371c0ec97

SHA256
aa967eafaf7a2f5037bfba51791b743ae52de8b46d1867decb0fe3ef2b259730

SHA512
7cd5e514bebd588c6c023baa09ec3ea6bbd89d38c47b75f2613cce302eceac5cde8bdce87f99dfb03cae048006b41c565d8c8d73cc3891b69d6325e62d60d1fe

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
421c753d85259c82d3a4c9adfd222860

SHA1
99bf56a4ce9e9078a7a64928de01bcc8af17a2b4

SHA256
418a6ad9f8cc128d312bf0bd0eb91a1a0c4ff1c122d286f2284741992f37a1e0

SHA512
22ab940fdee0185bf96c88cdc5c1281f1895efecb6be4ba2102cc42dbc6e825952f3e10f5bf951606c13b2001c423c858d2ad68f2ef25e7e1833b2750df4d9d0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
632ccde9f3d7514a39fee0036e2a0092

SHA1
eaa4e385c648545c419e3499600bdbd63069b39a

SHA256
ad749df01f629db8e03404692d62cabc8366eab5444dd36713addd0a347d52bb

SHA512
a5c388da288fbd8f303e59f5867fe0b29532c6ac5cdc767ca578b0f0dbf546cc1e797abb6a3b58cfbc55aff280adba40cbc02372fad2d667c89946573bbbeab5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9725b85a489cb7337ae02fcfdca6df9f

SHA1
ded1a3e60c97a7a206c1f0a79f1bc4449c7dc39e

SHA256
6f49b07adbd7eb240c597112646368c8349deeaae2f5da999c8379eb21d3c23d

SHA512
a056c6654b7d45dbf6720e96a2a1bc5dc21fa458efdf6b9de2b09aba7eb17af7e87833c1ae6f8bd2b5d11720a3a833279e49e152e69a6ce23a05330b7e517c05

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3b899916cd49552abecfd7ea0e3912e0

SHA1
d5d33c99965020977cf35a6f0d3b6b35d72f9a4f

SHA256
c29f6fc4ede65e71d3253ca16dcf96cc7c2353eec6cb760d52cb4fe85678115c

SHA512
0a527bee358a8f2e01d0dd28ef3234d84a667b9e881286592e80bb5eb9effca3223ec12cb625fdba2cb33f73084f99bf9d957725d85bd4dabfc64e64270586ee

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a65f81114691a4af9189b0632cf189d6

SHA1
ae640a1e53f562f6d734dd8159f37d0165d283e4

SHA256
156284069fdf29afd362576727769f42dce64ad10de228de2bb814e39c9d9b87

SHA512
a45152491e07d0a562db8ae3c3fac9d03fed0793e597fe9f6208388ab0da63985e33e3ea6aecadeb894530c753711c7df8afbdd24acb2967e06c4467555c1081

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a790fd0bc2902c43a058e7413db5f034

SHA1
cf0caf71bb459319fbae4f660a1652020039dca5

SHA256
2c08f74f8f8042e27e470cdbb47add7d7b81ad69fd2896a566a152e574f9d057

SHA512
97b0b8aa3601df9030d75001aa5ad2ea929fb4e1fc39ae8c101d3479e9da0501d6691997c7bba1fcfdfbf2e7b3c65067e334e82ec5986f653b64afaffa1ea3e5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
0e2047d5b719b0fa74ff610d80dbd4f2

SHA1
6b41213fe4779bc11b8982e454a6c6fcd7f663c2

SHA256
8a8694a41836b96f2057f8b9d6a787272daad3058493e328fc1e29831a336687

SHA512
207b7f927b93e4139c81c114342ce0c35d079a0f775c21ac400759619c505a77158a75ccd7fa79f268eea683db128ab45a6eeda154e39e1c236cc03d934d6932

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
58bb95b4094ea52340b0fa368840c9a5

SHA1
03e801a2f4735f3f47b6822d4660e55210e56567

SHA256
65d15a1557409d3cb361251a31e7a620874bd504e12187d1260d9b80fbf6b235

SHA512
6931e70506a094e390cbcb45ae3bbca25ea54ab1937d6b5b3443890c5f436f5ee04dd587605ff1d7055f4f810d3ac690e1a42b39020e242389dddbce5f7b3deb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
aec1c8d8de1580987cbeb857bc4a7bd0

SHA1
57ccfd1836a51e317f718b3ee4f74ebd6db0ec4c

SHA256
869b3af39de0c3f44e846033fbe959c448842bf3a641b367288f1054c6068e53

SHA512
6e9efdc0d8b95c103b9974c15ea3228bbb0f8cf5299b5c7b8f99c58a35ec7ae602b1c7981f9b40a6558f25762a1b2e68d3ce29586bc7416ccf72716bdbba2264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9952fe5eed08e7ae026e454a2b9a3a9d

SHA1
292a5224af693eb10ace163f0ed1864acf1b5d5b

SHA256
33657902a924640a4335b8efdd233ce70e4d7ca566e14e3dc1648a2bff5d0a97

SHA512
d60c43e1280aa2df442958dce9c2efbf9429c332910bce22a5757b99d89c42359267a1588ab922c6e1f757c55ca671a2ab1f22dc4945813ff5b5fe47ca7b43b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6308c8771fbe17150263481f10e2ffd3

SHA1
c7ba4b57393662f0cd71313ad5d5abafd25cb04e

SHA256
fc3c4f62b643a1a3f6174ce7885cf669851c3ab1945e64624dd5f9fdfc9027a6

SHA512
6ecad5f7876b2c7e4253e0b9f91c1ef6fd1eb0eaca5681d7871ba0c5533ca75632fce17feabf3dde7eb76653a4c6490ed056f34ab17d3cc64802c3fd0d44b3f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5758fd.TMP

Filesize
2KB

MD5
8df20ad2489acd1e7f8a24fbc9a8362f

SHA1
b37b2bc2ee82f0b39ad3a80f6b15ad382bfe6c59

SHA256
6ddca1715870af630f7f8e66256978606fe92341934e897f0db7e5182bb39389

SHA512
8253fb905874f333413b730cbe021576a9ed2dabcdcc9c99400a8ee22792135052b60718defdf45190e05f3b4a70a95bab0a328a2c6d1ba9a095eee0ab4dc112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
8d6716c778ab9111d799e635c23c5507

SHA1
30f90025949f9f417f014d4a4b5b5439932c825a

SHA256
be5b8a0c904b06b089d756a24e4b1d2b4435854341d2b860d85ff1077d9be13f

SHA512
16ff1973e389185af2477ff24f9aacaffa25fe3a65a2d5efd7797d01fff527e9dc57ccfdf8648eca2f6196d3704334b81c896ff62d30535043708e61a4de99d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
042e1d453fe658f945fe194fd772e956

SHA1
26c2649bb127a658d153b16ef32320fd4c1a7754

SHA256
9ccf073961d9df186ee1e18ee9cbf12bc6bd9fd69482ad9b243530fd53bc4481

SHA512
b295e8fed7cf491a3b9b61b9705dc1bfcbbfe2d968f240447146c7382faa7657ea2338772ff05f7fed256c129e115184bffddec76db4ae044ff181532037e9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
056a23f72b3d23142aa641cb45ea55e6

SHA1
9be5a5baa01f1184ecaa22245f51a95b691e647c

SHA256
3a4427a94a2e5be10e3fc558b0fa73a3f250f23dae18314e384bb443c1a54c51

SHA512
73446704e5156b095551c8a59ed681b41171ada7ef0506c6aa53288dd64a8064a0451a76eed53c302c22763e767c7df6cfd39563282517511e8daf24ef907996

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
a16247eb005f9987010d4cbeeb12879c

SHA1
b3b23c7d8cdb7bf5e427959058a00e155cd404cb

SHA256
6d580346a756206d761d159721356f56bd86dbd1b51075746418468bcdb3dbb9

SHA512
213af60cf10ddabc9c8b6864a3ff42c9e0c38adf628408d7bbb9ad1aa6b0c69e9e9ba9ca0909ac09e4bb532edb4fd8e5d85cb313df45de692a181055717022ba

Download Submit
C:\Users\Admin\AppData\Roaming\dd30f01774f8f84a.bin

Filesize
12KB

MD5
49dbed59f19143988aae7dbd90311c01

SHA1
35a5923a16f1ebbd09e326f605b2cf29eeaed66c

SHA256
e39a9db789572c1e589e562ccac07862931d4812faac563dc7662bba543b0283

SHA512
48069b2bf5a00efbcd7784309b726c4ca58d2afad754cdd0766cbb48f3d4e51628f7e671773d44dbc437da6c4c2693b9cdab6a8a05e2a3035b6fd8525f8a58f3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
bc7f9c7e4fd6e524798c20ada19f57c9

SHA1
8f4fcd604dff2293709f639f7f357f08b8e75f7e

SHA256
719eaafa8194250c2b2f241e3ccd16bc8bb2f840e6d8c51f0fdf1c0ecb0496da

SHA512
85d1dd0f0acf64a18d1feb46d3f53552cf64a4f78a4fc1074620f609d8bd5dd328f077b2ba1eb65972cf11cb94d1b410447078c1ec18fd954b6a034aa52939e8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7a7094b9dc3410f27c72190f9ed79174

SHA1
2c2d098356cd21e724022d41e5659cd31ad785be

SHA256
394f92111a7d70aeba5c13e6db9f92ede1557f5c16d392ba7b19b1f01a9d9930

SHA512
765102c1ae2b446224c77cd24320a6d9d8b59dcec81a5f2289a2584cccf1aa30e10f3a6e29204cb036c8410f4425b914ec3af17678a91e5e23421ba7d3f8bd49

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
e8d93d211e55bd1544bc999224694409

SHA1
9fd3915addc527671e89c397fa93835056b0ef4d

SHA256
5ea648b56db550780c12dd4f9af182e5e2f32505fa213ad65f5a03ad104c8831

SHA512
60bd4a2686670a07ca14291f395a3062b436c7e14ae8537b68400d006c52d939c0523ed0edc9cbc29e6a2989755eb27747f6613050d3cdf63f46ef90cddf5334

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1f3d4c9d9ea15f34729f55c217a4a84f

SHA1
2b6c16432c022dba27289159cddca80856cadff9

SHA256
e35275f172daa6035bf1e8cf0509338b8dd0326306281f0a9be9c3676b9a00d7

SHA512
10384d77ca7aeb283501eadcc1904accb3b9ac889131f7cfe4d28a68f4a6f3f8257f04ac650565fc06063a4be888dd4c9862dc92a31ac988d1dfce074dd8634d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
74a68d4f77d5449efd008b8e1c1b6e22

SHA1
987e1eaa29a7aaf9974fef825c3486f2cd6fb2c7

SHA256
de5030faffb810385743325e90309bc2eafadccc722c3ba01e90ce2e8eb4dcd9

SHA512
4e5adf0996f479795598b7c90d7b074f2e740cba04be773def1246f4dab52fed58d321c17b7ece277b031c17f075e848479cce9c20e9d632ed21cf0c80866caf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
320ed184f18b8e6c42f738933d635edf

SHA1
1daf935a516ba55f251b23d1fc72003506abfd20

SHA256
2de3504423857ea6f5fb22529c658a9ae314cdc9ce84cfc641253274cec79022

SHA512
1b7839b40115df6e4636ad65c7f92128fef7368d3a07140069bcd3b297dbd6299982cdf7da71525f2f44f55a6c8db1d81b0ce340e7a88f553617ddb19d97c39a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
d54ab73e3f6b190f84ad6b3389ad976c

SHA1
fc3de8a0520b9723fcb79679b10487a8665133f9

SHA256
d6581aedd4b85fdc346260bf450f53574c7ef90e8c89ba4e4f056dfddd15a9e1

SHA512
2746152137a8008c148c24de66682c818f92bbb54fa40a95cea6cb711bcbd36416885fc1a2f754b727607550f33693f5e0b1e3e75f336f45900365b323a727e1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
44fbac096cd30609c98ebf82290bf7d1

SHA1
2544f2bbc6cc4ce94578037595287c0158f558c5

SHA256
b71977b3ba7c1aaf579d2a282d7c026e0bf68621334c25024329a49a0ebb19e4

SHA512
f488a81924cae5af843fec6e232a0f6a7c7f7130060815744fa67dae75a769e5cf6bd7e81e49935c21bf9a32b792fb4b048e02c1c46d97f3ebe985cee62af86b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
44e5827ae8ec982401e1f7187908638a

SHA1
7596c9f463fd0201d8207c1522f26ba1b877afdc

SHA256
e1f1349d95359ad52eb52aa475b12d991c850725626d24f67198c098b641a62e

SHA512
8ca204432e9c473932cfec0ac23ebe22c915a9d941740dfb65eab93cf6c77abac380004fa747fd3c5c87220ac542610db55833552edbd20a6d8770d4c3c5c818

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f06145ac55e795565b57bd6fb0af8f71

SHA1
46b01d7cd328207e2d33fdbc49db84195eae7133

SHA256
8a522d2fffb4a261e2bed7132f3d35c78e3c7c7dd3c643c545d2a499fd3be18c

SHA512
c07c677576cea8912f1ebb3b7169c3434ceea4b082c8b781990f9b6f6002fd09a85ffc9ca5e6dfe02efb2d592987edb502eccc01202c52cad026820e18fb02ea

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e9bc374e332f05029348a2ea32a33dda

SHA1
cec7e3a0eb37dea92234bcfe53bba04d16eb5a8e

SHA256
c3390e38261ff54fe1f6954bf914f60030e6c63a904ed05b94531f22fa43eb71

SHA512
58f37cd1136da78c24ce732ee8bdf9be25023010dea726ffb9517fcf63f541f8727cf7c2d801fc8ff1ecd14295f38742d00cb85a3ddfbe42fea62694f1ed4696

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
979d935d8cf68f187bd7b9d7cbea9f2b

SHA1
1a68ba0a0faf7e637ce1e803392e7bf2e10ebfc6

SHA256
4a38d52b47ec19ed1ec77cccbe7421925c7d45e7bb2240698c178b22c91cdcab

SHA512
0cc10a947cb21b447f0872ac5398b528dc97835d909710ce951bb6cd7ed152ea33246919cc05b335a5a155f2eea55a0c2fd91367fe1951c0be4423e1792a0294

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c7369c4baf3ae8ea4349ebc25ca222c9

SHA1
89eecc14e12f4aeed01ea321a5ed614af410e97b

SHA256
ba7ea6721fcee21c2b925723387045c3ab375672f6a497acaa62f6f4ae79d721

SHA512
3d7dd85399853dc3ba808374541b137ed913a490eabd3824585c7f086f59756543f4a7b2d6630e763f0265fd9fd872ede16647256309868c87863e1e2c4081f5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
bcccf87a9f1f90fa813c8c9319e2d9f0

SHA1
b44d43e9fd35cf8791f8f4bc3741772b34dbf1c5

SHA256
0fc7a443b452ef632a2df83c5e48ff8dd477b4d5f5a0a5003c43ddd4d759613e

SHA512
03e56bcbee26a3285ae2c877f19e70baed922edda0ebe47cb7893b816409449fc222fcba03ae33b6edca36fa0be3e4733d9727b90eed3a58f400655a7b93fed8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
7f82177d5d4e0f0eabb2758f603a3e46

SHA1
0a4d235310429ca377a4d6f0b0f711f4c6ae7564

SHA256
5e3eaf8a871e1de22c109383bb5fb966733cf12e7ca332ffc46ebbd1dbb310d3

SHA512
c2a2254a198919134ad404c2a4ddab02284192e75653cd5b8826cf532e8ffa0783f612d2db473f26514a24d5b112e2495ad4c635592c8adffa14c4d76f9dc40b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
438862dfef1864cee7ad79f3b507bd50

SHA1
4b26cddf5c0f4895ec78c0cd5463cc2659b7956c

SHA256
49d6a9bca845c61253dba15e818f7fb25aae68cab105f5a6b9fc2d6400c18f46

SHA512
3ba7385156bf72d7518729e5ddf8c100f44a140b0b49a645bf364c5a07582e721897e1b75a8ad0f323a5747c387845e99e70d6312527f8d6030757247af1a755

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3b3f43d2930b03da5514fb2a11f6f841

SHA1
7897ba12c1f4523698f50a5b3ef9d64bd8cbfac4

SHA256
0383c6b5fba4269d42bfe0f5f2e1af46d55af3ba37cb24de130cac5c4b6bfbd0

SHA512
7eeb8f1e82f524c3e73223ecd927eeb8d4df09bbd4bbed4cdc00f96ead9b121805ce1a1256a5eb186590abb9f902d6cb1fff3e980bcd6fa43f3ce53a9db49739

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
eeeb88556a7c556da3e7d7b78b17cec8

SHA1
a3c6f39a738fd338894e816b13e00e7aec04c99b

SHA256
2ffc1390cf13017118129e0cdc13a934edb8bbc9bb23ba89c8049aa3ba932f14

SHA512
e057bc3eab13d5bb55aba93c54db2cbfa2fdb0816da35653589fa1f01946a24eaf534cdee26946e19d343b290238822c3f02edbab7d5f63763b762c6fb8d8376

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
3b8d3a35700899dca51806a9163fd5ec

SHA1
4db812d733d8c02137d7a8deb9b824a4ab2739a0

SHA256
01a6c427ddc33ab90908295320318314e29ab1177ae2eded82911fb468c8cf69

SHA512
5967d3f4e5858e70239d44c767b51e35e938cec750eeda8c95c5eec6cf770419964e5c95a273fb7239ddea292feec74b66422fc03885e7eead77368579b10bec

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
dd826c477dd3b59ef27635ac12312972

SHA1
8885f607da16e30a0e076f0a02a14de022e04b74

SHA256
3892c4936d9eea023468a375b1d1c8481ef68b0f359a0f6aa29cd429adbbdd89

SHA512
9213ae0aa3f36eba04469e62a1e9e1d941953f264a91937ac4ade1929d7911d43c5a2a4c2791f11f9c65b4305ea10f01159681f22992e29fdd264a406af98dfc

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
af28f8edab5dde434bedfc2be306ea88

SHA1
3c5188a457f3b09add0a082a063fa2c29ac1e752

SHA256
0e84aaae31785ad414acb1d69cb67299cf9b5379e3db85283a82b3721bd6f35d

SHA512
4b2df8eb9b22c07c42b42edbf80e53a32b25b678a24da9b2e692539f802f3d4b0c136e882e7e3f02e04175a608251c4a1721365f6308342a246e222fdf4a6ddb

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
fd15f8733f2a2f48556b8cbe09845629

SHA1
78e283caf5d189618f3cd90b0abef88831cdc718

SHA256
000ce966625b30ac6ef5d44e1249659c2f2217de4760ac484603e1e15e00b420

SHA512
4b30b7d85b7bcc96a704cc929f516962780cb18878235a6ba3be32dcd4a4576fe71fede26e0fe019e8554dead39e8e9a7fc54268e1e98e5d7e987f0336885c28

Download Submit
memory/1580-168-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1580-179-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1580-234-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1784-77-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1784-98-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1784-102-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1784-89-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1784-76-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1944-16-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1944-29-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1944-19-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1944-110-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2024-195-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2024-261-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2068-43-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2068-44-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2068-132-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2068-52-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2216-97-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2216-194-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2216-104-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2216-108-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3176-207-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3176-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3176-199-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3516-225-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3516-315-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3516-235-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4192-64-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4192-56-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4192-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4192-93-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4192-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4212-133-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4212-163-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4212-218-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4352-24-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/4352-101-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4352-12-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4352-11-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/4716-220-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4716-210-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4716-283-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4736-0-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4736-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4736-30-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4736-7-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4736-2-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4772-113-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4772-114-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4772-123-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4772-129-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4772-130-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4836-183-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/4836-191-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4836-248-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/5216-239-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5216-330-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5216-249-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/5268-331-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5268-340-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5428-343-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/5428-264-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/5428-255-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/5636-352-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/5636-346-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5660-270-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/5660-277-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/5660-356-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/5764-596-0x000001E652B60000-0x000001E652B70000-memory.dmp

Filesize
64KB

Download
memory/5828-296-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5828-309-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5828-308-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5828-287-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5964-364-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5964-358-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/6032-379-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/6032-370-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6064-317-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6064-325-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/6064-583-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download