e961edf2ff09ee490b6e810f6b3f16b98e2bba51193e833c8c182a43607e032a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
Size

5.5MB
MD5

22ecee29fae94390b5b6bb62808034a6
SHA1

395fa584d90112cda66bebed91d9a09d1c9137f8
SHA256

e961edf2ff09ee490b6e810f6b3f16b98e2bba51193e833c8c182a43607e032a
SHA512

b81b32a0f9c5e83cffa1aea518b2599bb142442391ef0b9bb300327539e113e11d847e7f0909f0d2b6f77f1c7326da2bc68e4a14ef78a85a2cbc10482a00fdc6
SSDEEP

49152:LEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfz:XAI5pAdVJn9tbnR1VgBVmx/iyB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4064	alg.exe
4168	DiagnosticsHub.StandardCollector.Service.exe
4636	fxssvc.exe
4608	elevation_service.exe
3692	elevation_service.exe
2004	maintenanceservice.exe
3008	msdtc.exe
4640	OSE.EXE
4852	PerceptionSimulationService.exe
4408	perfhost.exe
212	locator.exe
2004	SensorDataService.exe
3300	snmptrap.exe
2792	spectrum.exe
4512	ssh-agent.exe
4608	TieringEngineService.exe
5228	AgentService.exe
5324	vds.exe
5432	vssvc.exe
5536	wbengine.exe
5668	WmiApSrv.exe
5820	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\460de00f7d34635.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2781167f391da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d962c66f391da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0f82e66f391da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002aa75e66f391da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133579613359900302"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b16a8266f391da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000069096166f391da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005441b966f391da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1616	chrome.exe
1616	chrome.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
1504	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
6112	chrome.exe
6112	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2380	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
Token: SeAuditPrivilege	4636	fxssvc.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeRestorePrivilege	4608	TieringEngineService.exe
Token: SeManageVolumePrivilege	4608	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5228	AgentService.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeBackupPrivilege	5432	vssvc.exe
Token: SeRestorePrivilege	5432	vssvc.exe
Token: SeAuditPrivilege	5432	vssvc.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeBackupPrivilege	5536	wbengine.exe
Token: SeRestorePrivilege	5536	wbengine.exe
Token: SeSecurityPrivilege	5536	wbengine.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: 33	5820	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5820	SearchIndexer.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
3696	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1504	2380	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe	83
PID 2380 wrote to memory of 1504	2380	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe	83
PID 2380 wrote to memory of 1616	2380	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe	85
PID 2380 wrote to memory of 1616	2380	2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe	85
PID 1616 wrote to memory of 2544	1616	chrome.exe	86
PID 1616 wrote to memory of 2544	1616	chrome.exe	86
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 1516	1616	chrome.exe	90
PID 1616 wrote to memory of 5092	1616	chrome.exe	91
PID 1616 wrote to memory of 5092	1616	chrome.exe	91
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92
PID 1616 wrote to memory of 1236	1616	chrome.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-19_22ecee29fae94390b5b6bb62808034a6_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2dc,0x288,0x2e8,0x2e0,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe189aab58,0x7ffe189aab68,0x7ffe189aab78
    3⤵
    PID:2544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1908,i,4076930460667476313,12414866855054608377,131072 /prefetch:2
    3⤵
    PID:1516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1908,i,4076930460667476313,12414866855054608377,131072 /prefetch:8
    3⤵
    PID:5092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1908,i,4076930460667476313,12414866855054608377,131072 /prefetch:8
    3⤵
    PID:1236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1908,i,4076930460667476313,12414866855054608377,131072 /prefetch:1
    3⤵
    PID:4656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1908,i,4076930460667476313,12414866855054608377,131072 /prefetch:1
    3⤵
    PID:1924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1908,i,4076930460667476313,12414866855054608377,131072 /prefetch:1
    3⤵
    PID:1984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1908,i,4076930460667476313,12414866855054608377,131072 /prefetch:8
    3⤵
    PID:4928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1908,i,4076930460667476313,12414866855054608377,131072 /prefetch:8
    3⤵
    PID:5048
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:4856
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff737b7ae48,0x7ff737b7ae58,0x7ff737b7ae68
      4⤵
      PID:232
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:3696
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff737b7ae48,0x7ff737b7ae58,0x7ff737b7ae68
        5⤵
        
        PID:2408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1908,i,4076930460667476313,12414866855054608377,131072 /prefetch:8
    3⤵
    PID:5048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4744 --field-trial-handle=1908,i,4076930460667476313,12414866855054608377,131072 /prefetch:8
    3⤵
    PID:552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1908,i,4076930460667476313,12414866855054608377,131072 /prefetch:8
    3⤵
    PID:3340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1908,i,4076930460667476313,12414866855054608377,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6112

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4064

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4184

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3692

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2004

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3008

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:212

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2004

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3300

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2792

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:5048

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5228

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5432

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5536

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5668

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5820
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5648
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
92c338de048182a0fcdfed1b330fc41c

SHA1
6d441826b76440c0e60da94c535a1cc60621bd43

SHA256
1b8d29eab980a88b454fa74bd1fef6f379846f4d3dc7ab279ca90bf2b604fcb1

SHA512
3ee5d955ff738e4b179114b1801162bc931d0009130250ff69df0bbdcddbff7e88754230256167cf3cf7ae1c97150f198ba283e65c54c003405fb527d03a9ab6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
4e5935bdcafe3cbd429d238d92730b9a

SHA1
2d5b558631b74add1b9e55311e920b551777475e

SHA256
c6a578f5a8cc8d3de7af76a0f07391e61fae0257ea1e9a130e7d7fda97d841fe

SHA512
fe12c6b5c2629ab87398ac440c605f65723bd88cb12fddc9ac481100fde75bd03bab4b890745b80ade2143d2da67effcd69dcce2a16fdc462e056cf1da51ffed

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
c36356aec478b7ec5580f3649f4e4d6b

SHA1
b1dfab7ff36e5908d2b95b15e16805f633902d12

SHA256
3fe5fe43368cdc74fe7c45a311ac6027a3da4988cce3da26e4b7a9d7f41534fd

SHA512
44c497f92a3dda8ffb640cc3e9d780601d323f31cdb1dadc18c2e47b2ef3431af793c91235fbf60fe56437b9b690067de0917399129fae35e893a84a8a88b1c1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
80f4c8f9c69080b1a92572cd2491ff18

SHA1
206a8e8f40b3da8df9ebe6a1e7b1d6aa3cd69262

SHA256
3b9a54a1c9a975fbdcdb5727cb4abcee5a301d3be99a80fbed883d145be62839

SHA512
77ea2e7ec6b7775c9d49dbd6eae95a3a7fede2e8da968d968646ba98e93e59a28e940b793c47f52cb38f814a0e457fb725382a57bbbef5fc042dc39a780fe12f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d7a96da7059f003559f407110cbcb5f3

SHA1
82bd9e7745ea4dee3a1963db8f20537c18ba3c5f

SHA256
3b75758be7a5203934a272cc282726efdd7b23c31080111c019d6b06b4aeff5b

SHA512
1d4f3e640abe7ef05de9dc7928a3081c7fc7e84a90f783953ae38fc9ca099a7bcc3ab3166b46b242ac65fb30fe8d3a1a267f6919e7163d49339f0b369156c192

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
91b68c44192664e1f3eb942cea34b536

SHA1
21d2dfcd63da4b53c67fa96bee5a89aa022e5f8f

SHA256
f2dbbbe4556aab600a74d4107ff1f1c8bda713ccbda27563c3a05270ca7c7fb7

SHA512
a3fc072feb6574a3ce0b0725b56e2c64cda90f17f0520f040cd32bce71be79f081ac6986df49467c8875bc9ce501e1660a266d79a217426c7d6334043e1f7cbc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
66e52ce4ce3f121be2abb44a7d347532

SHA1
5d5ccb5a407dc98bb4ba4358fbfb96c0828de616

SHA256
1cf1731fe2facbae7754fcc81f778fe39c8b3522c6e2d4c7fb229705da87a3dd

SHA512
56c0f78945e3aeebdafafaf4f0752c1061510e0417a1d0c2a86ee46bd907ecd804c7cf5931bfc15b4e3770492057129d94e1d4aa1a43fe0f822584726ab2c269

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
962134e9a8952fc6aaaa82c7e9ee7413

SHA1
223f9622c4e8031b25df92472a1a0052ae53e128

SHA256
00f11269b7751539e84c0de446ce5488e8d92f0404e9c591928a0ae43e9da45a

SHA512
16dc0d06575a89ae26068a9d1ff3b74aca017dff355c3f989ca04bd49da2094f93cb69fbbe3590fb119caaa8207e48cb3b9febc675e7d6b26efde942e4892a7c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
af162d77b51a00875c0583c76906b16e

SHA1
1c845e318eb1cffb34d4c78ecb2bdf0f12e695a0

SHA256
fe955822eda589883672b65d1bf7bc8d9a2d2a676fa3a9da14043459327fa818

SHA512
a38aca4c2bcbe0d71a576a5f7ee7327cfb56de005ed42c0169df2bc940444f4ad1e7095aeca57ea59f61186962390533a8d9f993f38f8e22dcfa86e2a1e965f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
85ac9586bb28762b4dbb5f1e6d302a55

SHA1
048045d53e13575508197cf1a3a6e283077e2587

SHA256
5cf470bfa8e83111fa44e77f803fd62a2ffc0d4be026883c72fa6bddf8fc9449

SHA512
b1fbedb36522461e97b02746f33a161be81ec152a3456f3d2f6ff21fa593f0ae479d9dc3bd7c535f43fc30b9877dad363d9bceb1586e3cf4e33075940a1b7437

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4055464c5b63da79ff648f8e0bedc744

SHA1
8f5e5a0fbf9046597e9ed201e841cc117d44d70e

SHA256
ad0522fe31af353563f3efed186a9507a8e8ef3f7b30aaf796864b5430c99433

SHA512
a9c71a67274e4ad85ed660113e3bea8d029026eafd94e213921b2d3c005c94b83de21adae477e28065742b2d8e535b10bc5409162a60671a509a95cb9c910518

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0e8903d01b20434581a8d6d519790e36

SHA1
bd4d4489201dcb30990357693886cf902908279c

SHA256
8d7e88fabf0e63ff7de093f9fda736427912a3157d1a4102fc79bbe1179d12f2

SHA512
3ad6c5f6d17b8244988230b9cb0aba07ffa215ce96412b061805d4b9208fcd2705b7f917b142cc8632f44c23b958e2679efbb8e222f0d9dbe3f1e367c91a1ef4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
5006fe4f07c247f326c611aeefddda86

SHA1
f1bbc9c459e02ed6ca70d2a52dfba3a68611cace

SHA256
766ba48f1d4bd29a7d767cd47668f119477b31480e1e625ff528b7004e16b3ec

SHA512
b889dd4fd02305aac2ab033d7cd426bd99d003ba3081df06a129ae16f7063a6316080a42a32d75829b1104135d6810fe1c583732e1a06b4d3e6f7a826dd156b1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
f47d33d06e5b6212d0f4b87a898382f5

SHA1
3ae05d16b0e80221ca07fc3cbc6dbd2253993da2

SHA256
29989b4b42e7bd050d875cdc7401620838261c8718b77880c0fd0d53b8b597b3

SHA512
fbc7eb9e9f43e583b0485c9722e0acd3b6877e514e67d7ef7e87c5e4499365f6309b40df147ed90e0d4b2ecdcfaa4f35d84612a683311bd84f77dec4195296ae

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
41f8ee19598fc091382c1d886c236eac

SHA1
cd8b6a5980549dcf486c57396bda1b1f0995a230

SHA256
a87046b44beba3b5fedf5e4b4fe3efcbb15cf1ede8d3493945931d8e8c2b8ced

SHA512
8ff706e46fbfb14c169cfd8a9a02d1dde4b477b00f65e4a74fec5089d5f618dc330712bba2e93f20a67cbfaa1e07285edc92f48e769c98f98c5f80f2249ab7d8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d1e75791e448a593455e678f70f26180

SHA1
4a4984bbe36c29df0071c507723898cd8a033624

SHA256
b17f3aa108e0aa122f9cff8fd2f2f4fb1c4b7fe018c0b1b70d0d59d71b299402

SHA512
96a8991cf6ae090bbb87f8b98152d6caad872fea001d020358065ab53ee1d34c2c786647a44cfc43415d265b863237ef1b53e43ce713bf3d13fdf2adab222381

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
0b475376ea027f700d2a3e2e08d40dca

SHA1
56267310dc43a485a7ac3272f12f1c8368b5c5cd

SHA256
0ec7222b617224ddc8d722d5785f64cbef4570dadba591176728d8fa20432701

SHA512
77807fa96b676e21cbf1abd689eca564e2ddcdf66038386bbd4f4eedc954f35e65ca51c9b22159bb41f879183ee2a53cbb82269f07cdac872170cd7af3ba837e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5342c819cc1fe87cf46e6a1becbe0b34

SHA1
14bf4b930d3fc9c9f5b90394c85dd3b906dee762

SHA256
aefea29d39d85c4a2c5f5b0d9abaa4d59fc46867775051fa4b4b9ecfa702a401

SHA512
c32084dfc8f07a869df26b404c510e66cd8225c40b25588e406ed525d8b71719dca7c123bc185fc88e6e9061bb306e3d6ce0c55d9cb64180bb9c8784541e7311

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\88523970-f049-4af5-9d08-5440ed479b97.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
db73712ec0465ed25fa0fa1dcb628413

SHA1
17ff158b0ff083c2e3c74f0b3011094314e05e24

SHA256
6fe171fb8f96b34eed1b6ac1fabb1920eebae78c614c6917bd401e94f900338a

SHA512
6c7e72e6363b4cf36893496843fced48f89e9a1b37fa0563f3efafbae28afed1b9bceb352fc128c0ac2c111f8a6f5215b2b64fcc5ab170851a5dd4842830f0aa

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
dc058cc94319e9f3ea8e99c3ebf474bf

SHA1
ea815fd8cab91788b0f13df69b86e1325ccc8ff3

SHA256
fe4b477052b1540adc643ed71d7ec76c05b99c28f36dda277d7be766a9f81052

SHA512
80f2dc5dc4946b7c43fa6d30207f80faecdbfcb94e2091ef1596bdf368bb390ee1bb1579f5a39eb4dc08b926c25f7413a726139b65e3f4c9fee0d79f16335718

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a251e7d8920ad0ae50087d3903f218d1

SHA1
89a40725b1fec22d61561b2286720638ac0f6625

SHA256
6045f9f01ec3f769a595569f236cec5f057170f13aa5c7f8f01df1cd687725d5

SHA512
0b3c16211e1da01608cab5853c907f5c061d22aad2f83aa990fd5e27b08cca8147c0b0f02af9c91e10b7dd8f9d658360a0d73900b0c101fd2a6758386007bc7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
32bcc76de296d3d9ecb4331370337598

SHA1
f8352e7bd8617deff73e42aaa438b112c28f2290

SHA256
5b07087bd348a6e6c33c0bf578b771503b4bdf506940be4cad6c94c19dcc6a99

SHA512
f8ae9b4af43706d276bbbe8c678bb75245175ac8db2bf349ea65734e2c7e466eabd0e729adccdd7b8b44a0852bb0185336c6cdeb7a13bde70633bb9af7e98941

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e30b9558b7a45d6615c765851345806e

SHA1
49d01e0bbab451e8f0e2688181124fefdcd50188

SHA256
06a844d21a03b285c4098804f5909622ec9f025c1caaeff0ea2fbbb783b1ca7a

SHA512
45193d165d6b06e1a5516e3670f5712a4728c51a1b793e3005ed3ab333e9e4ff93fc24b9ac632d125d4f15bc8dd2468a39d738b1acda911aa941f089d26d2082

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
53b3b6622bbcb4c5b9dbeeeca19b2cd8

SHA1
a8546a34782f78ee01954aaeab5d5ecf2ea9f6cd

SHA256
08f767ae17131edbce5eda48d40a7e780b06995fc01a644527f7b2b930ac0922

SHA512
b52409bf3923ecda0ae923fc9980ec2029d6279a7e1c1ad7b688f540d8b7d6ead39e269e9249384ad035c5cfef9db2c7ba309e0b9e4070ef7eed79552ae500c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe575d04.TMP

Filesize
2KB

MD5
c541d6caf1eba2f47a57217be76c5517

SHA1
6fbea28eb3c243a578e6d904eddf794b51c5869b

SHA256
1e5a9517f8e3940d71f3321f9075ca8bca5bb1e82eed3bf223d0bf265b960b6e

SHA512
bc9e7551a58873b1df732905c27e112c830a71bb725170c4e45e3c21a2f71822cc3ce48f9041fbc21d2fdbea8f5c8537e5d027fcffc6d2c67dfae7449e25e739

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
5b5dfff225df0557aa6fb0c383a018c5

SHA1
1257407aa2c9fa5ca6d8053cafb4732c00e70458

SHA256
948cdb213c009464500fe320824d5f4fdfe34597f4d94cfa9d8b83d864292714

SHA512
13c435f2b9a9090c471c0a0729c291cc4df963932e60096e06938ef41465331bdb24a5a806b51f61a2cf6bccf38a3890b2500d29e4d38aa73892c3e3d2aa4e32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
4392e62ee596f2f76cb17179bdf53e0e

SHA1
5cdb2c6e615ff09955659c3efd0e734b5c441620

SHA256
a81e47b75fa89a126cdf1aa07810bf3e51ea41105d40b38aacc18fed988a50ad

SHA512
71091f7522b9b7dbbb320b8e33ad47b87848d7b20e4e41e7507809eaa39e0b23060137b005e08f677b63ee836e07292fed8d585565a8a69c0a63010c13c2be82

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
c6327209ce2f7f0097da192ffda91a22

SHA1
eef34bb3cc63684ffce380efb9edecb77ff1409f

SHA256
1d5c6595ed77942179cabe2fbd4f9380e32af5684f3eea0f3cdfa80182b1e9dc

SHA512
12f77f496b0ea9e86db8782ded4b0ec070a6521b35e2b5b89f00734e88a41cef54b420d55c7b7772a54474ae32ae22cb3c03f77aa5dac7b92507cfaa05cad87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
1acfad72abfc928cca94056d688a671d

SHA1
edbc91df0c27c662a0c27664f585a65399729414

SHA256
02cf046ff4bc8d84cf81c5fc546c445b3196c2a9dd294e98093e0a64727c6081

SHA512
8775ce0111faaab530d1c80cd4d18977dcdef949df6fd68aaa684493da47de491685c1b3291932fe98fcaf842c70e87aa8a75094a9049b2e1626f83e599e0b5e

Download Submit
C:\Users\Admin\AppData\Roaming\460de00f7d34635.bin

Filesize
12KB

MD5
7d54b21d3a93ef35343639b3cd461ea6

SHA1
5d342ed12206aed682e125989c4e8437cc130c35

SHA256
abfd5c192ca5d6dd2f4231527a6f3754b487f7c17c9a4ad0a5aa3a1be35d1c42

SHA512
632c5b9a1a962584151bc6fbb8ffa7541f81229c900ada9720ff161c62b2c03bea679b6322146fabf9afbd759992c0a68b305f2b6ab3e36bb38b083e43aaad65

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
f0889f16cfbcdbd2273a6c1d502f7917

SHA1
019b667dcda0a778d53a89220bb111369bafac24

SHA256
6c05890c264164a99732e75536217a564d92a544863cb470062cf7a1dd88bd18

SHA512
1d27d3cdd5b37da29fc1c276441c317ac98218937b1f76f14afb167cf2e45ffa69dba12f4844f0059ab5efe3f17ec4b020b54cbd2ca618bfec3b346af900019c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4f7a0cb8a53101751239f791730c55c9

SHA1
2cf4053c7b56d24e98258d1adb0b3f9fc8868d7e

SHA256
e7632dc63759cf01cafba975ea03d4a5e9d8fd1988ddb57fb5ed176db2c59fce

SHA512
09598fe42143cc26138525efd310ff580a5cd3abeb3a93e389a66c8afe69d554151a35d11286235d7625a0a3aefa995b5ee941c2e636c9c22b6f32cebc97faa8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
22c31a23c0004b31ce59baa41a6b11d0

SHA1
618da1cd27bbca7e1290460a33d209cea5902a6d

SHA256
2c25cda92f231efe7782a4c2fc0d69d9c016a16d2e4b829715b536300597d84f

SHA512
dba0a6ac2a82eb493c1336df06af8ce415e542f0b654c783b6b9e3ec136a376a4222e152a39042d327e43493d7508696a8a2e187ca188c2fdebbd6c224c40e1f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0886edfcbcdd6fd387b4e187eb25013a

SHA1
10e18a236dec276266eae2dc458079503f7e4ff5

SHA256
4c7b99925c06ed9ae9feee4618657e2c38283d657165481d0ea6dbbe1d88aa2f

SHA512
885f8d3367fb1962bd8dc6ba45b41ef09974dc324ff5be03ce3a590034fdad806f85cd23bc70908c0428956a467b0750c992a73ebb0a1d1b3208c3d0607eae36

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
96650de023564d654a2249cd0880e64f

SHA1
1ba687a09427100827d345ba61bebacb230dd91f

SHA256
cad1b801a3393e5f1acf18d84e318bf24584bff67e05e3fe41b95c34f3044611

SHA512
9974f27fdabbe450ad5a0f30cf477ab770a5e5405945db1446029b0f039d5f3c09640eb55617ec73e072078f2abf43c45ff696a1ff3adbd90811e6749f77eb88

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
6fed3c73fff13d2ae160199a2c3aa9d4

SHA1
f4b18f7a85ee0ca5acbe2e0dac69566cf84a32f1

SHA256
590d2828818e904d6e35d6503a1a2c61f4acd0640c647a8a0e0d8463f2ce4c27

SHA512
fe1d41e64d130a179ea0822ef5e8e61572cbb006ba19bc34e004b4d7b7422445f1c41b3d04f528733403e4ee9bc5c612a869d766123de4000cd1f9c6874132a7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
2301f3894f179a9527219b79407d61fe

SHA1
b366213eddd401b06eb97522805367e99aeddc15

SHA256
6adadbcabc0da934e14d1856fe66476e6e7fdd7c229fe0b55cf1731e821aaeaf

SHA512
5b57ea32ca50bcccf1807c751a85a372adef828a67f22175b6482f22cf8e8ddf79b82683043c392a5f536af52d764c8dbbd3ebbd4868d39ca935dc59bc61c9a2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7dee7b8874a10025f20a88a619aa2ce2

SHA1
5e25a1b34fe27928b95c2ac0aa2e769c35e18584

SHA256
50d78388dbd91afbf34fd4a66202ff1fcd0ff26b373dbb84e7b255f118fe803c

SHA512
479d8b5feef6669801ff737dc657b917fcc5b836e8729bdcb639953a6e3da0d96a92eff2318e2137ca55effdbbe9f3c0a2225ce4f513473333cd6902f9d8b29a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
25e35e34d5512379b8b3b7dec81f4b42

SHA1
8e6b219a08ea487db4bc39682be753b14e339bab

SHA256
f0ec5bbc0a994b0e2b9973f2b4a5a14f13c8e743ac43447e6aaa2361d929376d

SHA512
9f918f4ed93ec614872e200986cfc3a34f1d75ce602896fe6a05f3b8c8611f1645fc71234acadf7d3d3ec6a158c2ef7c8d6eadfbd0e86957eae97583ecd0a846

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7112cf0ba48783164b90b2a0b325f433

SHA1
c4d176762cd6e68508bf5f9c04b26d4fc0bb16ed

SHA256
706949ad344936a9203c48c9c48658b91a088da589398ae89f1fc68d5c668d7a

SHA512
7a073edf1d26a511f9a7ce56bb54126fcdb75ac42dd24349ab86120216625400f44d73d7c59bd94feb3a6cfcd9cb2ab4c18465e2af233db4ca689f2c17378b1b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
87834b6f4a7852cadd72f7894f621cf0

SHA1
121a89bb638c0e518472d106fcff0198a956b4dc

SHA256
68b9e5c4e72ccdf6e108a2cdade4c124f0cf7cc519baf511bda9c192a31c78ce

SHA512
3322ddb8ec36dee1c45ba6a21da6f7c6e675f2f6b4c1e50406b20b40d90f77073c7175092687f4d565376ecd547144442200894342f314a57a481fb9b2d9cf2b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
62057f7d5bfae0d1fc6bd1ab175e6592

SHA1
261fb99d722fc18a2f2b54c92998d82381f04b95

SHA256
c6d6def96c43d76e9a9efa84765f6e400d9a9756ef3cc78d728efbc177d37313

SHA512
3ed7a5e19833554ebe990c53908cefffa2e98f077d123c2ded00d64334a7bbf75bb6fcd251f5fd5da72ba17dae0ba6e45b0c8761547ba7136af6573aa47510cc

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
59c70f7b67a989ef11e650b3c456c951

SHA1
04cd0b9e4ef9c1e9a7e25454cac909e0ee03fe84

SHA256
8c83229927126851d0995687f197fad9c17fec1de52fecf0673c1380c3bcfa93

SHA512
4e9c88410c1a14939e6e059dcd7f7245ef821e7cd39333c881c2e8d4e0a8b504d9d7fe284864fc013486d4820c631571d5b45b61a0c7e39affade94697e5ed8d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
1d8e72282b13bc7a04a6fe11b9ac0857

SHA1
14e09454f08399ed8c874ead8dbc4c7c8cb19ed7

SHA256
6162a50b702e9ff81fdf9a2182d3f1d608ec4ce1057cf0fafe914da4f74c7850

SHA512
03c63fc2e8ffd54ffc8cb8a0875492230d7661233508279b1b0e54b688a604d04137d67e8f7a8e633a6700f6c56297d7e86873519768cbece61cca0544c075a4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
8b42d969ef51a6739d0b2922f376d971

SHA1
370ccc0387eb25bf47d4d60c0b6a8ff525116cfe

SHA256
a434af12e72df884a1c673a88e647edb4ea67fb1684b8cf4b8fc60b51e335560

SHA512
b8f64d88edb72920c89dcdb38edc13629a994d1c0fc57182251a541683c213c5cc29fd8ea06c3903f97391778040647069572361ec24eed9d68504be08af4b84

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a245df8ebd8f3d39fd18590e9e2573cb

SHA1
acb9a350e979287a05ce05027a64736310fcc54d

SHA256
50ee63f617febd56412321a9004cfb3b5c10bbc541e21f7d6be0f69b9278ce4c

SHA512
7ce75c5c3e3e926855fad6ac4c99fc1affa019c75a96b04ece4d679a84781952377aa9db6207cfcdaad79ef3e2ff97879b51f52cc30f2a4141965f57f3c1c29f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
b7e25d2902634fb7699af5cff871f2d6

SHA1
3f10e617a2e6c1a30dae59758567cccdc4458042

SHA256
b3a660bfd8189d61dc30d52919f1aadc5e7bd07ed2b943fad04aaf300e1c0cfe

SHA512
b064baca3b8cf20d4a80c37e61680628856cebddd57b5502f63cb41e5e21c5b1eef1b2d8136f9555dc3e8c5957fd5bdeb19775d1b3b08bd3be893215f3c95092

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
40d922802d0dfc0eeccbd6c4044d6ad9

SHA1
368de93aabc3941b989300ead17362cedd9a61cc

SHA256
b81b806ace59b1574993d0089766647ee5e32517f31bc01475807b113f497b91

SHA512
84d35f44e6a700ad1792e1a3cddb16b0698218a27699a013f02d458943ee63c42866c048dcaab54d73af18e85113a1adefa0eb6b7f3be6a30639294d60beda89

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
522df09671ae433429bbcaf7252be0b6

SHA1
61ca04f9f4e85e8568ad48873b678d1e513cf1e6

SHA256
280a84c5c19d1271eeed9e7b9b3673a1981aaa57f14c4fd4b13ba86d8673869d

SHA512
f62deed71d60fc03149e67987af7a52bf70ede79171316883d37f3f01ea2b6c4973a677798812609030400f9d4acc0e3f3a52284e3ccfe5212e90cc019107319

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3f2e6e7576368964d74218bc8eeea5eb

SHA1
49f57df177ed7aeb58f1e7f0b30b11f04c9464e2

SHA256
888e965b393e04ec05af1ef12c351676466fad00f1783f50c12dd21f9d25a5f0

SHA512
04d60a2445a0f789498a3ad9fd65ba8e6f927251afad19f4ff78a47e131b20808e68de9861a44ff13a213ebec028c1b382efb6d429cf00433a92a77862ad1ed1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
dcc12d9ca463d423c06ae45fb05d2ee0

SHA1
28533d76975ba332c2831ca06decf1ab3824cd0e

SHA256
696b724c58685fa32e116fcfac01249cac666854ce953f561d577402f1222827

SHA512
f2ab659755c62ca883c653f580fe501fed092f6e4584129dacb514c2749b547ff6dc14825949d5f6bf86eeb635e63c6e88dcb885326cc4e8db6095dfee65e43f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
6b12cd77ada70ac741280b0f6e5979bb

SHA1
af9e23a38ea67e555370433a7230a78a42425732

SHA256
893c3d114ca88a540d79bbb9c260b40deba87e3b5496b914b4e990069822490a

SHA512
94ba197306eafbdebd5beaa18af43d669e887adfe913a8c5733aa813614fa195a3cd185c2fa8d65cbecca5663252b5f81782f8da15297d18bdeb922178883645

Download Submit
memory/212-209-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/212-294-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/212-202-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/1504-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1504-12-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1504-24-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1504-101-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2004-138-0x00000000016A0000-0x0000000001700000-memory.dmp

Filesize
384KB

Download
memory/2004-131-0x00000000016A0000-0x0000000001700000-memory.dmp

Filesize
384KB

Download
memory/2004-216-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2004-226-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/2004-137-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2004-117-0x00000000016A0000-0x0000000001700000-memory.dmp

Filesize
384KB

Download
memory/2004-118-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2004-306-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2380-8-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2380-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2380-30-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2380-37-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2380-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2792-267-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2792-276-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2792-336-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3008-142-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3008-223-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3008-164-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/3300-323-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/3300-260-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3300-239-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/3692-107-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3692-196-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3692-99-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3692-112-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4064-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4064-22-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/4064-34-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4064-103-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/4168-45-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4168-53-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4168-47-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/4168-140-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/4408-288-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/4408-197-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/4512-282-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/4512-349-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/4512-291-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4608-85-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4608-303-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4608-363-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4608-110-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4608-91-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4608-84-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4608-113-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4608-296-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4636-94-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4636-59-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4636-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4636-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4636-67-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4640-259-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4640-181-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/4640-170-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4852-193-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4852-274-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/4852-185-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/5228-321-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/5228-320-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5228-316-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/5228-307-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5324-332-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/5324-324-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5432-337-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5432-346-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5536-352-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5536-358-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/5668-365-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/5668-372-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5820-376-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5820-384-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download