cb0e18202caf14650118817505935fed7b9adadeeb59eb7ec926bf1a0817c31c

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
Size

5.5MB
MD5

f22a124d64c050e42fac2a7c12eb24ad
SHA1

06275f75f92aa8bbbf4cf1abeccbabf664a132b0
SHA256

cb0e18202caf14650118817505935fed7b9adadeeb59eb7ec926bf1a0817c31c
SHA512

bbdb4915c78aa53093212a05f1eb4d153bac74e6a5f6bb80d788e47bf915c1267e2a33e8c4195be62b715232b3e6baccc8949b17a1d5babc7e8729c31f32b45f
SSDEEP

49152:6EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGfh:wAI5pAdV9n9tbnR1VgBVmXt2sEE5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2296	alg.exe
2712	DiagnosticsHub.StandardCollector.Service.exe
3728	fxssvc.exe
2940	elevation_service.exe
3112	elevation_service.exe
4048	maintenanceservice.exe
5060	msdtc.exe
2872	OSE.EXE
1144	PerceptionSimulationService.exe
4512	perfhost.exe
5056	locator.exe
632	SensorDataService.exe
5148	snmptrap.exe
5332	spectrum.exe
5484	ssh-agent.exe
5660	TieringEngineService.exe
5804	AgentService.exe
5952	vds.exe
6052	vssvc.exe
5408	wbengine.exe
5840	WmiApSrv.exe
6028	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a221c16874f8f84a.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaws.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{01C6D80E-08BA-4005-BBC7-FA9D9019DC00}\chrome_installer.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b68c8c9d892da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000884483c9d892da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aea001cad892da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133580598611459894"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac379acad892da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000581c9bc9d892da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c7e9dc9d892da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4496	chrome.exe
4496	chrome.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
1072	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
7096	chrome.exe
7096	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2892	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
Token: SeAuditPrivilege	3728	fxssvc.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeRestorePrivilege	5660	TieringEngineService.exe
Token: SeManageVolumePrivilege	5660	TieringEngineService.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5804	AgentService.exe
Token: SeBackupPrivilege	6052	vssvc.exe
Token: SeRestorePrivilege	6052	vssvc.exe
Token: SeAuditPrivilege	6052	vssvc.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeBackupPrivilege	5408	wbengine.exe
Token: SeRestorePrivilege	5408	wbengine.exe
Token: SeSecurityPrivilege	5408	wbengine.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: 33	6028	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6028	SearchIndexer.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
3820	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 1072	2892	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe	87
PID 2892 wrote to memory of 1072	2892	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe	87
PID 2892 wrote to memory of 4496	2892	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe	89
PID 2892 wrote to memory of 4496	2892	2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe	89
PID 4496 wrote to memory of 4020	4496	chrome.exe	90
PID 4496 wrote to memory of 4020	4496	chrome.exe	90
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 4564	4496	chrome.exe	94
PID 4496 wrote to memory of 3776	4496	chrome.exe	95
PID 4496 wrote to memory of 3776	4496	chrome.exe	95
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96
PID 4496 wrote to memory of 5072	4496	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-20_f22a124d64c050e42fac2a7c12eb24ad_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe817cab58,0x7ffe817cab68,0x7ffe817cab78
    3⤵
    PID:4020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1880,i,13680150243365280500,13630497620814782659,131072 /prefetch:2
    3⤵
    PID:4564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1880,i,13680150243365280500,13630497620814782659,131072 /prefetch:8
    3⤵
    PID:3776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2092 --field-trial-handle=1880,i,13680150243365280500,13630497620814782659,131072 /prefetch:8
    3⤵
    PID:5072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1880,i,13680150243365280500,13630497620814782659,131072 /prefetch:1
    3⤵
    PID:2092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1880,i,13680150243365280500,13630497620814782659,131072 /prefetch:1
    3⤵
    PID:2428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4220 --field-trial-handle=1880,i,13680150243365280500,13630497620814782659,131072 /prefetch:1
    3⤵
    PID:5084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1880,i,13680150243365280500,13630497620814782659,131072 /prefetch:8
    3⤵
    PID:1732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1880,i,13680150243365280500,13630497620814782659,131072 /prefetch:8
    3⤵
    PID:1264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=1880,i,13680150243365280500,13630497620814782659,131072 /prefetch:8
    3⤵
    PID:1212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=1880,i,13680150243365280500,13630497620814782659,131072 /prefetch:8
    3⤵
    PID:5636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1880,i,13680150243365280500,13630497620814782659,131072 /prefetch:8
    3⤵
    PID:5848
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:6044
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff760d8ae48,0x7ff760d8ae58,0x7ff760d8ae68
      4⤵
      PID:6116
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:3820
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff760d8ae48,0x7ff760d8ae58,0x7ff760d8ae68
        5⤵
        
        PID:5240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1880,i,13680150243365280500,13630497620814782659,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7096

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2296

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1752

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2940

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3112

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4048

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5060

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2872

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1144

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4512

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5056

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:632

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5148

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5332

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5544

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5660

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5804

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6052

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5408

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5840

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6028
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5944
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5888

C:\Windows\System32\wuapihost.exe
C:\Windows\System32\wuapihost.exe -Embedding
1⤵
PID:5636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a9bc10f55df9a8a165034cb3bf43a0d6

SHA1
b3879753c67e3ff3a34b66bf8014aee467fd8749

SHA256
ef33c5f55ab4a9c29029de961263e984d9cc66ffb44cced097a4e4cc3b9ce2e0

SHA512
2a57dcd90a4d88cd54b7b065af27e026b153f7d78dd5a31301624c64bdb1b9a0c2bbe5407c2700a5e4a78a8e7acbbf838917b94456cf8047db15cb9ddd504112

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
4a47bfd9ec8f70c90235e985c7c20c74

SHA1
4ba070fb2056359ff3dba9a9c158e72283615c63

SHA256
11374c2f8066f64905dd4d48282c4f0ae81479c6ddb88295f54239e5c231a520

SHA512
e1300d6ec6b271a73a548c38a273a82a06834de4ce4bf1c3a0c647b5562fe8da586387925e96dccb4b7b2d0a901ca7a8adcdf8cad1eaa765a8c44e25dbfc6870

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
6d6fb724c32f1f97638255e76114f04f

SHA1
7946dfd5ec5b3e6b7df210a1668d6864106af44c

SHA256
00dfb9000c5132437047e73930989a067e3fd92583998e483892f981bd85c960

SHA512
81dbfb3c516b5848caf1650b737ac469d52f8426d77c5e4bebf1da790fa8c0cb4f838731b25f81e08684200407a029f36737dde1e00b6f72444b90e791fa5d45

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ffcb0cdd53a8ba3175fc9b93969ebeb3

SHA1
865bbfd7ee530e4e27bec3b19792c84cf9a726bf

SHA256
e3f4265fb7340e5330bd49ec4bc99921944cefcc6a949c557b80b2277523419a

SHA512
d56b24e705fcfc248df99fe51240b0c50a6af92e2c9d1080a4b8a1f877834d8d792704a8f0f976b8bd92be333f622e8127f2568a37168071b16bf53ffd775f5d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
69d84c0f6d98630ec713dc889051b8e7

SHA1
116fc826d419a04d698c0c44876449ed037ab8d4

SHA256
785a7f2cf9dc71453c487b95c0623036f4848757acb59804c0afade918ba4b8f

SHA512
f641c7f7cafa62727b032b8e3ce51947b5275dad78ea09804b5e4990953b77774be4045302cbc9c28aa81b306f7d0a28f70925a021870a9bdd126d65e613c149

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
d5e87edd615b8969bc4ff9d630e328e9

SHA1
b06a6330719ae93955dd9671fad5828cb71cad79

SHA256
6f56148678a72fc411c9d7a45542a328e790eaa04c106f75d1b802faca3e103c

SHA512
78d42763e3e4d3d5e0ceb54f2d07334a69398bfab03778a8650eca480e2f1cdd2941424cc23b1e45c1316c4ea3da2fd0d71dc762938b1c721ccd4f389def5359

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ccd2aa66a05f14e50d41e7e9b66a5cf6

SHA1
31e758ca6e084582d2b25e0834752c7902f74227

SHA256
26af1cfc572ec5c7fb8b2d3219e695ffbd8dd90e1bb95558ca54b75b26552ee5

SHA512
39627edd355f2e5828c85d2cf8080fad0efd32e89eb4e080f3557ca8a9f8e95e2c464e64ecd4320470f5a8d0494c1c2d92f1e4972ef86a448f2cdd6fe8b596fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c64d3ae14eee9c9d5b20d04527c3b264

SHA1
51198b08fd33ea497bb0c4dce32ec3936bd75a20

SHA256
585222261f3cd430d28c1a174635944d9d1a429594299179aa80f6ede9a72b68

SHA512
dfce7e8f00a87e78c489fb4f3ed50546b07f3d82c4ecbaf7640b704060ee9244275f854b3f2acaca9ed13cce727a824353d2e024a196ff39dba8f38da31cb163

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
820d3f7398c79dca4618d15ea81ecef4

SHA1
db2a77c010ae475ac7969f3c466b72c8c7ab8ca6

SHA256
403d0d5b5a33aa20672a33d2b42623d965721e954306278507cdec76fd953c76

SHA512
1835cc971629fb93ea7cb5a1f721e4ac8f5a3df32cb66ba1d8f5c293c34ace147cee4017c28cf2fd1ff7faffbf06f54b930b1ccd4c0661ad8fa75e9cfc74f90c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b7e29c5b28fc311f38b379278fc8d122

SHA1
bc75e24d8ed3136c1332c8cab490da5ddcb37544

SHA256
f5bc5b87eed6bbf0ef693e37f9afd6b0717172578fed9b80520ff9b7fdbdf889

SHA512
885bc8ee0ae9888c126e342669413c03603bf33149ae17582297906ff4b6c866687e01745ba2784d382d15fa979201775fb37b3305d28717812bcd2181861c42

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8c617d0d2cda240de7061d9537752ab7

SHA1
fc0ae8aa90bb960133ac4ada1d26596d5822315f

SHA256
e4f204bb32bcfb177a9c600456133c16cbd4d0907d2bf37402d8bfadb8d4e07e

SHA512
34dc00b2cfeab34cf0cf7f2d218ec5563870fc1da44a82d7fc5347055969e0f7a6ed404f6cc01f2df5431300c9516381490325c2a203c2290fb830b9717afe34

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8c7024b687afb44cd494317bd6a7d30e

SHA1
84c3c5a4e07251776170231c506a6f7b8b747d26

SHA256
d635b403ae4b877bbc0b5409b34cd1113d30734d8e59f2b5035d90c36860bea3

SHA512
2aef450759f08193627ae29616b56ccd1f747846b1f983c3ea9f5393ab85999a091ba578c2e7627f90a9e29f8419b4f9102eef9a5438d4ad382e78b47ebacfd2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f7abb9c8dcde008351afeaeb324f887b

SHA1
83764d2451e028390470538a4de41a06f293acf8

SHA256
0b9e8810131074ef25d43f70e221c15d29174818c834c26e9d356b2336dbcf6d

SHA512
b9cccb6867449f313ea1722ffbe7796111571f46f2aedce7e822dee0b854f3860dde5ff2f6f32b5a45f104dd0cbaccbbe0303dd2528c8ac1acc4d1fd80453b14

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e3be5323573faf4728246015146fbd38

SHA1
50b0c4951e4653b7e242cb1c886481113b3eba8d

SHA256
c69bfbe1a5c6c1a54cd27ada1d43d6d9ad03db326003386491d3ce1b20669bd4

SHA512
ae558f94ea76e9ee7fd4567b8bc9f199cbfeff3e11f54039fa59c66f066eee86c3be73a26b675c8b653a5f74605555eb05f904dfe66f4b3d3cbe7642e40cc43e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
fc13048ab3bb02c64779f60b40a89f3c

SHA1
d8687fbb474b4c445e95c8eea1d52e4334df958e

SHA256
b77cb613194943b5ef1586192d22c9a96453066c23de79759e38c70045d29081

SHA512
1323b2b1871f31d30028539608508abf6f55bb6f752f9a1ed599e263b1abb2cc0fc33f2d763b802eb678ac01f0706dee0ad6bfaf2e5f093b1bf1f046849c2706

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b292760e8ba0bbc88f11e7d772abd798

SHA1
53c0fdd5070db8f8d868e9bd786f6a3c2904ed4b

SHA256
cb2300b32b5b3bc08d145aaf11905f09347f6e7b35df07ae56a6181b4e7e3e37

SHA512
5dbe3b0fc56a18a64956fe884b309536e34c97756e88f33b68a8f99aadda94c07ea24667f6fb13b6e50cde513782a2accfe021a699cb20c3662dd3806299dbd1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5b7658bc4a8cca9a095dc904ece38fd3

SHA1
58487c558bbd97646d0a7787f4e0b941a3764a5d

SHA256
3b79d638feca2c3971f2a22e5cceef9fdc31108f534d63bee8270158b4b25448

SHA512
b4fd081ed40ea77fcd726988eab36831ca92a7069876a14ef2ad2a0cf1ded2ae8959e76ad6b3fe7c36c09b85a692bfa04d8ac0aeab0e328139523c07973b3035

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ba308c14f02fa8b3dbff06052bdd6771

SHA1
3b488d584bd7b3f5abd44f40ed23fb973bd1a83a

SHA256
6e0093fa7997771196c6cf97cf1bd8ade96bd0af67fcc61e6a53599d7e3123d0

SHA512
288a7fb4d165579e779eccce30a5d72fbad882e558c26d003e891627a16d73c28312b23b8e9f220b61048e2f58545d238abe32f037a47c9addb64853f1ecfb0b

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\9d224696-1036-4b10-9b00-d159920a7045.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
08732cabb46260f6c2f864ed5fee94f2

SHA1
e951e85ca692fd94aa752a7e02cf01a7c17f38b9

SHA256
19983e3183c2b321fe4ccbba5d061fb199d82f44950386796bf57112f46b3901

SHA512
27fc15c13eba644c202682a364d4e6d71260323b9d898c790b91d1690a78ae7128be3e106cb184d92c9e82872b6a738624368a89b558489a6336ea4b7e0a93b3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
44e213d1f9384e56ffc39583efe2e284

SHA1
3ba60b99be89d078615a7bbf3b2d4b705e2a5ebb

SHA256
dc507b9c40374fd67a23b084c7b52d2e43f47a89bc0f0896d8c3f5332ed5995a

SHA512
af19bbbb6d09e59c88f07600cf96d7bbba1f847897d2e09c775153829ebec349f21668aa54a3d6749efff49402274a970517242d3b74aab475ee826997b0f6d1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
0e913ae56602742d41915874509922f3

SHA1
b5ae42a3e5396681956edaf215aea23b0443e1d2

SHA256
92b920b100797ac3fe6a7373a3fe8d6fe4be04eaf9a21b7d04221987c0853775

SHA512
c95dbd2d935e52fc05f3b074b3a2c36f73d543ae7c7130f1964800a1b5ef930d7d99ed903992406b627278f3ae575b53520b100dd161f3868a89a3371e514a62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
58bb95b4094ea52340b0fa368840c9a5

SHA1
03e801a2f4735f3f47b6822d4660e55210e56567

SHA256
65d15a1557409d3cb361251a31e7a620874bd504e12187d1260d9b80fbf6b235

SHA512
6931e70506a094e390cbcb45ae3bbca25ea54ab1937d6b5b3443890c5f436f5ee04dd587605ff1d7055f4f810d3ac690e1a42b39020e242389dddbce5f7b3deb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
949513070f500cfe8d7da327fd4d1d40

SHA1
6a81698399a7f4f1f32b6afb13b0a26ae4f50197

SHA256
f956fe6d8b598850cdbfe5065113faf3c0e669917760a979c68afeab3bd682fc

SHA512
c9d8ad50a96884b99674885e30382588d828b3b6fc434b2c69f8cb23e2f00f149da9111e8711422a2b371ef969c78a1e0b74b702ad283659f1da7f53f513e12b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
cc4f2a40da2606f6d4a45f6c92db7ab4

SHA1
45a07edf80b6215f6cf97ef217e2cf0a3353c869

SHA256
0755781f5f1330bbff688f4469012b92bcbfde6fc8ef4746421a0ba1669137c5

SHA512
ada593bbb77c663d594bc490cd4ef7b52aeaa401eb0e76ee8b7f916e856a78bea2b292ea20e352524cf8cd54779cab92e8dba6bacaa669913e116374c3b67e57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
99cfd03df1712e9e2eb81a2b4c2a8ec8

SHA1
d9305260779f9e01e5a7c515817620c4a2a208ba

SHA256
099d29e3ad0586c59a4463894677d520cf88475afec51ac63235d15545f084a6

SHA512
e7d36850a440e3487de94e2fdd4b37f9a6b00ad178be152bc707bb4f8a40947031d4ae33e9a883fd8377013bc8de06a5fe728f09703e415d7bc1c3d10a44e374

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5792e9.TMP

Filesize
2KB

MD5
8df20ad2489acd1e7f8a24fbc9a8362f

SHA1
b37b2bc2ee82f0b39ad3a80f6b15ad382bfe6c59

SHA256
6ddca1715870af630f7f8e66256978606fe92341934e897f0db7e5182bb39389

SHA512
8253fb905874f333413b730cbe021576a9ed2dabcdcc9c99400a8ee22792135052b60718defdf45190e05f3b4a70a95bab0a328a2c6d1ba9a095eee0ab4dc112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
39e0e1b4e814a8c6721a1933f0a7a4fb

SHA1
e7812c23a0c592b8ed3aa3da4856223759a11de9

SHA256
d0a45b0ca2e2eaab39f2ee66d1691ead6d24791fa868219e82e6ae6ac952f6ab

SHA512
bdcc9ef9ccfb952a2fc6b74adb8d042f7fa1e6b621dfcc97a9d3eb3fd342d69755092b433b2dfb7f14d32695b888ce6b8e4bee75e6183f8a9e676b41791cdf1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
af02462b576ebaa93b798917e6eaa965

SHA1
21e9355e5a3cb42725b116cb8300ed77c8f49612

SHA256
f07e9665cae4fb52ae3c4c5b57d3b5cc88daa13c86f65f11bc8350994885f93b

SHA512
c0e2b88867e6feb7d57599c90b8bb40ab70f61456b5436f6a1bc342d97953c7c19e18bfaba75b29c20e087089127df59bc01117405f48524f33cdca6e1deb8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
86f6846d7b8e5d1adbb073170a4e054b

SHA1
1ee50d3f0e6f83685910344c3f8f1c52e76bdf95

SHA256
2e58e675e7b6fb6af4eaac9cc231eac24e1b793f9418f2a58b3c9bfec252dd00

SHA512
b77e2a0511b502a85d46edff8c4fec9415b44f2071532f2e47b78693d9a2aad002abcd2474fe29ee6b883435afda8af66501f985e4115485187a3f868b2f7b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
b52ae8afcdf45b50688f7e679dda6da9

SHA1
6f56a9a71482f09c72bc5e91a756da7aa72eaba5

SHA256
8b67bd41b0978d7976c8ff287d264673f7464b79e147f2b245ca7e6f4703ab90

SHA512
04ae6e97641880ff7358a9a5176362df7fa47e4a8eb63febf51eedf01fbecad3252b8ec5c1d6b91af5a5235429613cf10961ccd141bce5a39584702e4af3f091

Download Submit
C:\Users\Admin\AppData\Roaming\a221c16874f8f84a.bin

Filesize
12KB

MD5
c662f2b0c359ce85a348275465972b78

SHA1
7096c48c18a67d64fd54629a94cacf5c24650b99

SHA256
06317d6b73e45e8df4e258ec850a18d487ae7cbf3d69dc5364e8481b72fae2b0

SHA512
a0e36153f4742b947c1c00716b8e252608b53ca571e45889073a8e8d8791fd63936f2ac6315b4742caba6811580dee75b04a5b7ec01461db343f9a6773a8a129

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
42be8d9a293614a2ca295779dc75ff86

SHA1
a5cc274cbfaa4ea6b8774a0b3e96ed673372297b

SHA256
01f616621a41611f45f7d12340668be23292b063ce508b8c17a4eb7dd901e983

SHA512
0b488bdaff85289501a7386fb9ac5dcef574eebfaca52977995cad706908ab8bb076cc07e471ab44fa9ccf28af9f1736b4189dc69f720b96c67d3c1055bda511

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0583f5aede2a9705ba33d8c9d425ecfc

SHA1
fbb2c0ef2dbc2e4db1460ba3b38df99d5c2c22c1

SHA256
03f936bd66beb52c523ac428e3c9d91453022da55ba10850d3d0e670c1428bce

SHA512
0428a29907ad204ae3adc9a1b121fcc7c83ce9d3d95c133798361c707f2e2cfdbb69738385252169ddea0c4077fd02aab0fcafaa51bb34f7e30842e800e46d5d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
bd0ebd645b68b605f58e364817716007

SHA1
adca6b44fe07d09b1858cb13291f6729feeaf7e4

SHA256
d04f03ab99c08ac12a92a593577ffb4dfeaf5b3d8d0b5229ecdfc07088346da6

SHA512
9f0cfa09d9366f3de242d0e86c7e948ad559c7105b6cabcc0b2f728d4a1605ba1adcf38a14296047622cbdb24fdeac594ce91708d12e76b7a68500cc80b65981

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4370b8dc61e342a6f1497c216c80074e

SHA1
dbcf3d6b512c5c8434ef0f64f56f302b93a6dd10

SHA256
c1252298a88ab4b9ebabf91570f8db46330d0db9f9e154d81daded5beecf3746

SHA512
9952885d880a374464bdfdffbdc210b964f1ef23df769c083b2a71498c7a10933e5d822b66eb326065d867ef219ca71e69d86be21fea148ed277e9e31ac4a5a2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f1a3986f0c16579775a23447ce981a1f

SHA1
e3a1f305e35084fba1eacd0fdfe1f389db91099e

SHA256
388c0f9418ed7d72c248449e9c12a1f1d57c66c87027c53034554d92a6388dfd

SHA512
0099264e384075c809ebbc94b350e84c580e0cf247f07e7d1829c1a1ac5ef726e926f3a162a30e26cd6d5cb873b43c8b5bc98600dbd03c731648f3cea24f0637

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
df7d59db28e4cb588d2d66792b269305

SHA1
be48f95239dd55c27aceccecee57bf7c15fd886b

SHA256
9215f63f0ea3e918fd0d01d99dd00e69f03781ca396fecf3e6ef3924c1757571

SHA512
273a54b096faa3e26144841b22bcf040a941d7e1708b30e0b0fd5854fd9bc2a983e03c2aa156fe9a3ee3b59dfd26146d2d0baec1ac3f691f2e4f42bf3c858767

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
cb1dd43f893fc7e199a112e433cfd287

SHA1
bb7ee62fde329bcebc0d0ccefda1190e24c90074

SHA256
e761d3170684ae53cfaf1e44ab0a1dddced83a9514a56178a9632acd2282bbc6

SHA512
daabb9d20417ddd851d354fc785aba575b30cabb2a1d45f6d3de8474e5370df676c423c5d98259d39fc5c83cc1f9293db715e385cd1babb0bb17a6e5f444d0bb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
db2572f65e5e7ba171a73cfa0eb4051a

SHA1
a6b678dabc8cb7e0ec8812da43f848ad54a95b0b

SHA256
91803b592dc10c6a42b3bb5fc651a9e578698fceeca31e3d0906798a5e744cdc

SHA512
00754dd280664bf27c4ad99f210280c707630b7c71f3396fb4c4f84541b94f793a628b9500a542fc9cf850d6492e8195d9b93096d673ea2a94783adecc332fe9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c41ae15fe29406a7d4c8e8ff8feda5f8

SHA1
73807aeaea3919a582cf0201f1aba88e4e42f5eb

SHA256
97004b1e995c95e4de0159d5ecb1a44964630fb548133bdec8ccfb9ad488c03c

SHA512
9c7c3c21f9dae258b06f9ceb5e9ae9d0912dc2495f018a2e6d2649492e193d8b5014854d5bb0642ae2bc962a8df7ce848751a2dbd58137c177ecbe3083ecc2f2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ee9d1197bbc559a8099dfe23e8b91f78

SHA1
e8519ceb52a6502be9cc28912f819d8dd6ddc68b

SHA256
965e14e9b5a3c2883d517eadb88a9d84da93aeb1b0382d406dae67d8755dfe94

SHA512
7f59194df34ac48ffe3b706347892796b2e60bbba453129c0ef40ecf603513bdcba7a39c2076c9a36e87698d978807d3408aebc631140e72783ba28511b8e629

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
aae93d2142b128f68d36367ae5c21486

SHA1
c8823cc2b30738b83e2f0aecd44d6c709fb2375b

SHA256
36bcfde31ec74b1df58e3acb104ee597508e7c06c3e016ce2022eee807f10187

SHA512
945bafc0909a9a797166c293ee50bc5cf532fcf89891c5c7af8c14336789329573a82fb849c5b7fdd19a2f114075e5111dbcff54d3a8ca9a9e17a818ef9ad390

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b0d017484455f01d831560b5067b2da0

SHA1
0977914dd782f2ac334b9904eb80b9041bfe796f

SHA256
2f941b2a98e9a30c29c90b9334ff8316f7bf559f1f53b99e766d9652aa883025

SHA512
2528806cda26500a98077f0c69ce1fb7c044ace4c54d7806ba84dfbe61e252903e76f5fbe5926f4c58133a6d87676d4675cf7b9fad137af19e0f587fa3bf9ee9

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
bf1d855459e19d58717b26555c00250b

SHA1
4ea07e97f9a919993fc834fb6c714765a46dfa91

SHA256
34c676b8f2d056e1ef9098061d2c555acbf04f899dc98389a66c7090d5febe14

SHA512
1ece5f91a93513d83c0b56e6f916ba6ddcf441d6b0d2d9d3e377c5b27a193c559e67e80d2ad0aad74ac5a16adba998f07d681113bc6138cbe0827232043a98c5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e461c75ef51626c97e937ec0b238684a

SHA1
4212ee711ae95bde0d280ba24c13a351c1cb7355

SHA256
eb025f42b22631877afc7ddaabcdd07eabe6cf4e7452dfa6443d53afbb8af016

SHA512
4dcca0607790170603261c57c137d275118075861b651c9e0445745a9c378eb9e60084844ad1d7939bd4a9e10b8b9157a0998db31de0d542fc0f8b936f9f4863

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ae65d5b63bdf619812c8b2aac4e63ca1

SHA1
5a17eeb8a8bbfc119479b4cd6ca74641518ab9bd

SHA256
d67e70885733e85a278fc0626d07315ecd9f41200f7cf709dfe5e17c7d7d8045

SHA512
235529231371379bc8b2c017cfe34440a3d26770862d2cc16a7b9a1c8757a519a6eb53d8d3784a9b5da7b5e73c8a4ffe7b350c65eb88b82a507313b791acccea

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
db70f7a7d120d1fd69130dd853b16f6b

SHA1
a0472bb61b108b0bf30dea519a444eb6838cf719

SHA256
a7ddaac2d3c13edaaead6004b73d95049b18697a7242d8fe01123ba83f13b096

SHA512
c8e8b2bc44cf9cb4e9150aa413ebe9905aa1ea42b81bf15bcaf8aeca0182924c3b8b92fa35454f8f3577b9fcf3b2ca259b64813eb6953a959e347c5f6fe73152

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
161a55cfe6c4b7c3e722eada0ac78a91

SHA1
641be01d3709b23ccbf90746bb2b184a12c9a282

SHA256
38c86bb5e5bdf3ac6667d0a3773c01b4a3451c23ab4dbfb9e1bb83dac1002eac

SHA512
6a29851406a02dff850409efd9588ca6cb33205b345d3105b621c26b036ec1bfb172f37cfddc2f088678174f7936cab3eff0d947bb00a5b06276e4e0bde4acf6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
35587aa45524de852a3e1f783bd87c4e

SHA1
66fa093ac76c4dcf98e5b298461b77878e8a1792

SHA256
eaf2e064e0a85680b591b279592acbf4ca438ce810d7df0ba50c861c86725d7a

SHA512
ec870f2874cd9607b16a4d9475636fd2317694d27e01d79790110b1c25cae18348b25cb82f30d2c63ab86230d0c6f779b67127409da8022aef353ae56f1eef69

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
3b8d3a35700899dca51806a9163fd5ec

SHA1
4db812d733d8c02137d7a8deb9b824a4ab2739a0

SHA256
01a6c427ddc33ab90908295320318314e29ab1177ae2eded82911fb468c8cf69

SHA512
5967d3f4e5858e70239d44c767b51e35e938cec750eeda8c95c5eec6cf770419964e5c95a273fb7239ddea292feec74b66422fc03885e7eead77368579b10bec

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
57c84cd0fc8639723f9f1d874ca40456

SHA1
14ed4b3b2bba3c5cb3a3c9247d503d8c83b02637

SHA256
ce24e2c6b3a540b082a95fe70e2c76fbc1ce311169dc54347bc5f75bdbe6bd92

SHA512
570ff90f52029a499935fe9a38d8aa7c7ab764363323ddda4a5e9ef2c0be49b6c952e96022a92b27ba474bc86ab320e9d11e6d3f36bfee0bd867153d0d3afdb9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
69521962cfc4136042b55098f00e246d

SHA1
20ebb435038849d840d21897fae9f448c3eaf1ba

SHA256
9294d149682f8cd6ea320db403c9075964d70af45e403f7675cfa95f12484d3f

SHA512
416f8c553dc4380ad4805a19c2408f6bc525949aaa49e8aa0c79daddaf72ab63fabc5f102cf8c3d315f6956cd2282115bb30e808823c5eb6e4215f6db2a6cb97

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
c9bdf7a2a7bd2316aedcbb01eea6d6d3

SHA1
6f48613e99130284cba216373d9e9160419a859d

SHA256
52a868f7094a1d250b403ecfe1c90e6f1aa0e699949bd72ac4e2dfb52a0857c3

SHA512
e03ab83e5f05af6d6f8bea10666ccfee4ee1e1cf7ba05095a27fcb5b0e8f68667f0e4959093beb12b2314895e528270bfe7392cfafb5eeb657c1c23ff9614722

Download Submit
memory/632-228-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/632-289-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/632-220-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1072-25-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/1072-99-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1072-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1072-12-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/1144-187-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1144-178-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1144-246-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2296-17-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2296-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2296-29-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2296-110-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2712-44-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2712-45-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2712-51-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2712-147-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2872-175-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2872-161-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2872-233-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2892-40-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2892-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2892-8-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/2892-0-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/2892-32-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/2940-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2940-84-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2940-90-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2940-107-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2940-104-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3112-101-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3112-194-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3112-109-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3112-98-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3728-58-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3728-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3728-94-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3728-65-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3728-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4048-120-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4048-128-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4048-134-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4048-135-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4512-195-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4512-202-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/4512-260-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5056-206-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5056-214-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/5056-285-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/5056-277-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5060-218-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5060-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5060-155-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/5148-234-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5148-242-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5148-307-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5332-319-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5332-249-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5332-256-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5408-356-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/5408-341-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5484-339-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5484-265-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5484-272-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5660-286-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5660-371-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5660-279-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5804-292-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5804-303-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5804-299-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5804-305-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5840-373-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5840-380-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5952-309-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5952-316-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/6028-386-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6052-320-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6052-331-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download