b620a565d18dad40692a6691be155c5f36271a5f45496ed4cf1f5581d6567fa7

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
Size

3.2MB
MD5

31a2c4e1236c38ae6970c7ea759afe61
SHA1

b2aaa67cd5a5d47c1de0c3ad39e4f0b4c95640d3
SHA256

b620a565d18dad40692a6691be155c5f36271a5f45496ed4cf1f5581d6567fa7
SHA512

1d78f0d2ff98d2fa7daee2a189349626108ada2da61004b1a9226ee5a659476feab8be16e31560a3bdfb71d968bad2948e148c6cfa4d99d95bbc5ad94f71221a
SSDEEP

49152:J5k1YCdptya507NUUWn043oHS3fT8YwVq1/xT3DDbw0TUqy6Cks7R9L58UqFJjs5:5NhS4Yw8ySC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1520	alg.exe
4428	DiagnosticsHub.StandardCollector.Service.exe
1244	fxssvc.exe
4432	elevation_service.exe
4776	elevation_service.exe
1688	maintenanceservice.exe
5028	msdtc.exe
2404	OSE.EXE
2836	PerceptionSimulationService.exe
1784	perfhost.exe
4484	locator.exe
3016	SensorDataService.exe
1140	snmptrap.exe
5212	spectrum.exe
5392	ssh-agent.exe
5576	TieringEngineService.exe
5684	AgentService.exe
5788	vds.exe
5896	vssvc.exe
6052	wbengine.exe
2036	WmiApSrv.exe
5432	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4399ee1bfc7bedf8.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca0048c16393da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ebfc8c16393da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cea107c16393da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bcd4bcc16393da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9ccb1c06393da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e10853c26393da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005254f9c06393da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133581195494482620"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007cabd4c16393da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000106ebc06393da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
1788	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
2648	chrome.exe
2648	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3852	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
Token: SeAuditPrivilege	1244	fxssvc.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeRestorePrivilege	5576	TieringEngineService.exe
Token: SeManageVolumePrivilege	5576	TieringEngineService.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5684	AgentService.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeBackupPrivilege	5896	vssvc.exe
Token: SeRestorePrivilege	5896	vssvc.exe
Token: SeAuditPrivilege	5896	vssvc.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeBackupPrivilege	6052	wbengine.exe
Token: SeRestorePrivilege	6052	wbengine.exe
Token: SeSecurityPrivilege	6052	wbengine.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: 33	5432	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
3316	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 1788	3852	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe	84
PID 3852 wrote to memory of 1788	3852	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe	84
PID 3852 wrote to memory of 4896	3852	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe	87
PID 3852 wrote to memory of 4896	3852	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe	87
PID 4896 wrote to memory of 4048	4896	chrome.exe	88
PID 4896 wrote to memory of 4048	4896	chrome.exe	88
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 3860	4896	chrome.exe	93
PID 4896 wrote to memory of 1012	4896	chrome.exe	94
PID 4896 wrote to memory of 1012	4896	chrome.exe	94
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95
PID 4896 wrote to memory of 1944	4896	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Users\Admin\AppData\Local\Temp\2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x2c4,0x2c8,0x2d4,0x2d0,0x2d8,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0652ab58,0x7ffc0652ab68,0x7ffc0652ab78
    3⤵
    PID:4048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1908,i,9109851420101328777,1088880403280558508,131072 /prefetch:2
    3⤵
    PID:3860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1908,i,9109851420101328777,1088880403280558508,131072 /prefetch:8
    3⤵
    PID:1012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2064 --field-trial-handle=1908,i,9109851420101328777,1088880403280558508,131072 /prefetch:8
    3⤵
    PID:1944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1908,i,9109851420101328777,1088880403280558508,131072 /prefetch:1
    3⤵
    PID:4844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1908,i,9109851420101328777,1088880403280558508,131072 /prefetch:1
    3⤵
    PID:1408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3688 --field-trial-handle=1908,i,9109851420101328777,1088880403280558508,131072 /prefetch:1
    3⤵
    PID:3288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3968 --field-trial-handle=1908,i,9109851420101328777,1088880403280558508,131072 /prefetch:8
    3⤵
    PID:1968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=1908,i,9109851420101328777,1088880403280558508,131072 /prefetch:8
    3⤵
    PID:4288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1908,i,9109851420101328777,1088880403280558508,131072 /prefetch:8
    3⤵
    PID:844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1908,i,9109851420101328777,1088880403280558508,131072 /prefetch:8
    3⤵
    PID:4684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5164 --field-trial-handle=1908,i,9109851420101328777,1088880403280558508,131072 /prefetch:8
    3⤵
    PID:3476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1908,i,9109851420101328777,1088880403280558508,131072 /prefetch:8
    3⤵
    PID:4556
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:1688
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6ad5bae48,0x7ff6ad5bae58,0x7ff6ad5bae68
      4⤵
      PID:1864
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:3316
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6ad5bae48,0x7ff6ad5bae58,0x7ff6ad5bae68
        5⤵
        
        PID:1956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1908,i,9109851420101328777,1088880403280558508,131072 /prefetch:8
    3⤵
    PID:5152
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1908,i,9109851420101328777,1088880403280558508,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2648

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1520

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2872

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4776

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1688

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5028

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1784

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3016

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1140

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5212

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5448

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5576

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5684

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5896

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6052

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2036

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5432
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5404
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
30f32f13315471d3d5bd0130871141c2

SHA1
2f228a4bfdbb373afde76f8d0acab4503f3fbefc

SHA256
c9846c910c92143ce69ec2b16756d6705219cacfc1b0a1f03ba256d8d9235969

SHA512
f4a4a3eb6f1c7e908f27fbcc8c728ebd5f3a03c38555d20384f15b12d3a3450d41e286a3749c8d2261d96bc9ec40b07ee321d3a0ac45adfc2f6bc1833e078198

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
0fd3e436de1890bd90b695400b4d137f

SHA1
7d2d33ac94c25c99f201c5c009a633f97ab90cd3

SHA256
392c2bb98e39afe82c5af6287124000058d56f710a10fbdfe0a4ceeecdb24b95

SHA512
e50d720533cfb7560b109a873be891e69ea428cdd8828c74a85a00189b1cc1edc6306d62bade8f882a39c4a6dace4da4efd2a2ab3436318a6e3f84a3c8861267

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
268f7bc259cb937736df9a30a66ebe41

SHA1
0155c7fd538bfcfef22a64643bbe4741df00e154

SHA256
5823ca04cc9474abc1986a55a26bf3ef9453c9135fe22936067a60bcf92d8b41

SHA512
906926b73b650c339c5f5c450c7d82e102d3abe67e49757bbd5d39fb6417244f167f3ad2cda4cbaaeefc18b97705284ef83baf3b4e6cc59a9a99901256d54f2c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0ee1d1073b6efd6dd1e50574d857ee7d

SHA1
7b4bafaf3dad425c4e4107cea053772f92d1cfb5

SHA256
4d9b097b015eb8cba7991409a8351da04e0125363e1e575ffd04ae1d6f09f701

SHA512
38866ecb2c08e85ffda38c5bf7317ea71ec89d49ab8a4fe41bc9d92fe2e21715888c926dcfedf49fcfdbcb01c206af91c97e649471ef4d1f7b2a1863d213313b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
56fb5c51e720219837721cca45727e41

SHA1
0b90c35097dd7173336dde23427e5390eb3b2d1d

SHA256
8681a315e0c1960e2b5de15afe0fc4900197a61eee6335d2646f9ef291f9bc4f

SHA512
b3e0e7db58d6ae666586d71b47692f56db68b8bee9fb5b0f5540ad8c63065f61b5652c8ecc8bbf67f69421903074a893315cecaec54b1649bc0d514e54fc365f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
fe2e0a5763c51d5ecefdc08777f653f0

SHA1
a86417301a0bf9d3f10c75ee61a5db11b1b639d8

SHA256
7129f05eb3ec63f9628bd0e07c8e7c262e8c56f76c51d988231c590cad7451c5

SHA512
ad1de726c7f3e51fc83f655a75e323e87dd1f4f0ad05c4193537467755f7cfab53a9d7acca1423d832335d1c6ff5f04a05dfddcfc813939095b2795c5466ec80

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
d079a7976cc7a7fe9011f824f66c5ce6

SHA1
9f21233da9505f5cd229632b88f7517dc92f006b

SHA256
3fc6c8ec601eabf8086e6cc79c256f2c1bba23d9e02923ba7f2b0c6ab165a7e3

SHA512
17de66dfb96a552c16ec168b650f50ae0f1203d07de6f26b51938883cc065c7def54a59b798513228f78c591dc670c7905812b67743d29c4abf76ad7a7a2c626

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c3796176c8136a0318ed2269849f1e51

SHA1
bf6c876b6ecbde064d1dbd3a4e772506f160516b

SHA256
60cf013cc3c4e30645d46eecd018162e8e20ab4731fa9e642591f44a5a543671

SHA512
210f22e32c36fd56fb5074833b492ce36aa2c6635d94f78da54efaae30122cbecb7e41bf066994977d69149bcbb54e40e3a0bfb39c57910ad9371af651db9586

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
cc0f8c742650d5d57272800c06280d83

SHA1
ed97b70548dad102c83ba23026a2af27c4b1aae3

SHA256
cea34250db785aff2f41142658f9624ee568183188f17ab93d73e5b220ed2a87

SHA512
1995f570e066470e580d982fa9635976928251feffb79df459c4f0bb14ddfa05ba86ef690fea8c8d8d2b0d53d91ff55d6581dadba41ab4558e0c610e2724e6d1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
819254043efad516ab910a46ff17e89c

SHA1
dd07ee0298ca0df5638122dfddf75a01d0df0ff7

SHA256
35c88ba5cd435383685e74207210437acaf91ff5ee25fcafe1dfda52b591fdc6

SHA512
6796272b15709326129bb91696f863634f1085966d00bfa163b00426a96883c7768c15f7f0176233a6399f2208bb750b456b71ae1a01f6fa7895ebfedfc269c4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a072beaad9abe3afc7b7b2466089cf18

SHA1
d2aff7162dfc0c1f94f6c3e5a7402c0f288c13c1

SHA256
f1c011dba4883b8c087f91f616e590b71ee46017b3b2d61319ab159c6b6ca955

SHA512
c6b229237af8ee126acf0a057a3c559e1cf3404cdc9a8afd9114ce0f82bcf0416d8de99e1d2a5a1ccf15c454b4eda08b24590a9a4b08efb29499028fd163dd92

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2a02822f586cb247ddca8f32c619a2a2

SHA1
3702bba748e49f72accbd0ac9d880b807be6219c

SHA256
1d89cf93dc1aaff649df8831c706c3c8ed479dddfdceabb79646782d143866ac

SHA512
330aaa0aef9201223b5a9ef711b6172362c6294fdd1c48cbfdbc901b8ff2317ed5980c415cc7099c5523fd7f12badf42c1c31fa04d66e2da07ee564478de8d97

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
8be0a27e2f556e1eb327c3ce110b0403

SHA1
ce05dc9a27463eb268ce0fadf2e6b42c8dd1c0eb

SHA256
322909bb43681cf9396da87c74a7a46c9d3ab2d524ff71e04c0a765ae89c9021

SHA512
a906f714a467f7aca822c73ae057717093e1ca37200e631bf46c22082b63b3e1d2afb757986effa4524c1b5f6fb9b9680497768dd01c3677abb53707cc71e399

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
d1e89a1ae2d76a958f288f3a9f41302e

SHA1
542eef71de64358a4a343340213feb778022b2e5

SHA256
60dff62befd92182aedf721114525e2948a02067a5ef3c54d52463826ec3ca95

SHA512
a28f6dc38316152f1b495fb445ae780ff07f69ace874738bbf0ad046ee03727639f0b5008ca56350c12054d1da38698c09f6f70e339a5d859d0d6ec70b5a5f6a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e85a2e6e8a97bd55006bdfeb38cb3c88

SHA1
b7dd4afbb3572f7ca99d4d0cfccdc81c9dff3731

SHA256
d0207e6ca331a8bc85aa62f163e28894b0f77be783ebd6201c6ea6cb722c31ec

SHA512
742f09bfb6ec70bcc650bdcf05d0860692be884917ea5d4fee76e84a02ffd042d61fc9af2beb62a69a405f99f7fab0c4aa135b0265b9c7cbf9bef7d82d2df3e3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
833a8e8c00f887da4f647c2b979e5221

SHA1
6f3a447ee76d89d2c643066b4aaeaac05bbf2dd5

SHA256
c8d3966da59ac5d21acf0fcfcd1c3d79a0655a795052cb202d56ea60111e2a6e

SHA512
452c374a0e5111824b3d92ce9b9ee00629dabd3c01ce3763c33d4a62abd4afec155fed6d52f490f26f0b9779d047c5ffabc8d0f538405c0b93c3a839c4efea17

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c08e5e881b2011ca70889a2cda425aeb

SHA1
2f5bd14f85c3cf642cdc6b544bec758fc3899584

SHA256
4c0250f6421e152873235e616e4205adcb87cf79521261ba0298d968677258cf

SHA512
119da9d9ecc2ccd82f9db954bd9ff1a8d9d4e7db25e7c4c80df36ac8a3654922cf296b7d36453a27152e52c11a4816c4bd79ecfec69edf2a807a5e2e1b114d07

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
fd5be71ac41520b1aea0334f71915cfe

SHA1
9c22cdfdace0acb0b2601d97e67d456e0a37cfbb

SHA256
fa17459c87ace3dfbfc35b26db06309f51f2dad75a7960fd77c00340e3cfe8b6

SHA512
9bb76cd3d3d3797e82f3c1049114daa797e9aa6b1017fde2d5d1868decfa4cfeacc57a8b55826f1c91ea062efcf61aec737612a9c0f98c9ba37d6f0dbfb57a8a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8da030503ecdeb709aef61f75d17c0d7

SHA1
1ffd24754dedda2ab41e502e402a3eb2f0b299a6

SHA256
c37e7e9690d20829a941afa515a4e3c104aee46b6b0d24032ce5b09e3f65e67c

SHA512
bf8e0357fd9e51252ef1bab10c602e4af200149f52aa1058d8d3712e82273ab87c33a452143059ae85fe374240b821596b5e85e529b061f074ba02aef2908b32

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
55424f0480fe5078c0bfe2ef640a8363

SHA1
dbbd795254ed86c1bea14208feb5d65e98c8c3b0

SHA256
3eb20b15fdb6d221d671d339d83d78e7fdd4bdfd02fa70e320a55e22b472ec84

SHA512
d47105320caba5aec01ee3b93588fff9a70e90da49304af658722d68ce18103891a71f3052e5b56df62b0c16d1364f1737e3a45e7e4623005682c8e2b59ecbee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
27cdacb86a5c84a5f3d210ffba0e0e34

SHA1
edb95dbbaa7fbf207dd5efb34891af7312ade18b

SHA256
99179c316d10dbec3135c1d6a5c890c342ffffff6f2b368ffb76b9d38f9d2d4f

SHA512
9d83e6100b7a261b02d0442c2c68235f51b0b66f8badb3c04556970f33011236792dfcb708aacc737c8b8cd6a48b43277bf84ad327ac15ff124a552e5af90b3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b4504ced487da356bc5d8bba44a060b2

SHA1
38a6da7059d314b58294f0c6d3dbb9b3fbbb8d71

SHA256
05172042d3f0f9fd5f2a737e94a276ffce0bee0c4c9e89db555b212b334e162f

SHA512
2ba4565bed3a4da4a508d41103e0d3b01758d6c4a2bb76d96a580f18a40d277717acd6101a68f678942c6c966629eb8de17c0fe3862cfa6ec90da61c1035900f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
95abafce0e9f155bea09acaf9d1fddf3

SHA1
abfc27ec92fd6c933dd18c10aad5946413ed359f

SHA256
ad75b4223352cb52fe2d6698c8f30d952bff07e8a28ecda6aca74350eca92f04

SHA512
4afcf356797fd249f21731ca196c3f863e6dbdcc4369241ea9040b11589ef9c6ca23fb73dcb2422fcca027c0a2a7eff00f29cbaecaec82deb37dcc4aa139f34d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
56a09b78cbc3b12395e8626abfc515da

SHA1
0eff1c2482f43dbec8af4c492171aa565abc2acc

SHA256
f072e32c25ec2f80f171b42124ac03cbfafbccd966a0d4cd4bee3db9cf8eda65

SHA512
fec56de339540a700a2f39b5b0e5f1c404d42e8bd23dbace9f5df38c6368378465fab3c84487e36302f733ba7e0a122b6a4ad73cda4615f84974ac1ef2865096

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577e38.TMP

Filesize
2KB

MD5
3f83eec20ea3491da5eff4ecd04a269a

SHA1
2bd6a1dba95902229d1ac874636ba43303ceb376

SHA256
458e9ff8954923b8a5788a6fc41f46f57097da4985fdfc96cc5a69d5eaf5cf6c

SHA512
662df191e193fc7c8602695472f8ac3b9298636386104dae8b118e562701b6e652ff5fac488d56a36a4dedcfb1fd46454b17212a5934150766f9e2a41e5c637a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
b0749de5fc79e6b9a2e512ddc9d2d4c3

SHA1
83fd671ffc5be26ac4a10f20bf64a972b8b6d283

SHA256
085b7ee328e7a00193237d8c98af7f7ad1ce93ba4df9072384cf3cd1a03b1e54

SHA512
edb82caa85e52825f2f679525fb2c79f11c5df65edd9a3e1ddd37afc0b31080087b7077b11d6d0cfdf316fc4d6b6750cfb9eb9bafb13218e676f6ce644afb29e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c65b2739-92c7-4755-b302-c58f6ea73294.tmp

Filesize
252KB

MD5
8d1b84698de902bc36628fac74987685

SHA1
21bf6b2f7615358a3b8c158d16c5e987b62913cc

SHA256
17044ad1e5309233bdae0d8a3504108901c64af1701f44e04182f93191ce5562

SHA512
32e033b331180b2e9ec21b17b0d20dc36f061596d319b79a15d9a349ae0b5597046234fc9fe78d322b089c957eb44a1ea176a74710eae8e3c4e69f6d455682b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
17547886417f717ffb6f58e59832c9c3

SHA1
12b757487faffb07236b9f2f31ea99afceaf52b2

SHA256
6a719a858798ef38efb42171708587c6d2df54055336782f179ccc08da75b7ac

SHA512
5f41e79ba816f6960c9b6bfeb63677a25572cb0c5ed2145bdeee3bf2882f4113e6bd60ecba4398969efdf4d5af478d8bfea377ae1e4ac447e0b5520d85c26b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
a29c45a19c4d1063c49e50510d1e6a37

SHA1
618901961e91ca29d4aee78f5211c73760eef731

SHA256
a2e2433376a8ee20c24bbdc0ad618a9633bc83b18a52494b5e85c3a1ea2569c9

SHA512
0ee9e5ee71ab1f57d5414b2d2178a3d6e79660639d57514afe3badf8f9c6f1973f10ded7e6019c7c6259ab00bebc079355c624b7e58dcf8c737a06c2c9fc8e53

Download Submit
C:\Users\Admin\AppData\Roaming\4399ee1bfc7bedf8.bin

Filesize
12KB

MD5
a3e5025eb55b60e45ae24b62d7f3d05c

SHA1
37e9c526c5b38fdae79422ad96de70b5fce6d0e1

SHA256
2ecc5f64b7efc902d5d90a36184edeaf4416daf98710435808f6e887e4ef222e

SHA512
c37da87953cc77e68912264ac7d1eebdb2caa1b2f0bab987be4cd44593909180b3567e8f7e145eaaaa37ab7dac176f246abcf1c0372ecd70908804ad9d5948f8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
291c7ddf39dd66a2f893bba8c06e83d3

SHA1
14d9020063d393dcc7aaa464878fc5e03bf8e45a

SHA256
bfca5c7c7418b356fd4ffa50444ddd0844ed0062314902e94a6b374bea91c740

SHA512
095eb70338265edb68b0fa9c90a4734fdda3fc230af294f4c52f2b01d1c7d2e2e356bae15a9caace93f0d8552435844a12972dda196a55bc53914529ee2bf3e7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a6ba043e9c3d82aa7cdefbb185b7ce8b

SHA1
09f4c6a6d54fc9415b87445a7993d6d9c9835453

SHA256
b0b845a57ae52c6471db065c7512b20258c3b925008114b241a389d43e3abb2c

SHA512
7652aacc4240d0a6639ddda288bbf7a5b675470215353f6d6de3693050612d283acb18c6c9584b49dc5ee7ff6a13df970dbb1491586f3c1a7adbbe0d2e00dca5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
4580d5e7dced208472c4dbc04fdd9054

SHA1
3590ff41b45aeae37f43f7b370c11cc62b59b24e

SHA256
246cbcc655ccea4fcc153e35313b53195cda6231ea72fc7a7d0416faba092dc7

SHA512
cb498d3ea4dc9b473357763c0512b7bd9de3b6959d72ab614c20575d94c77d77f5f7e288cc3974ffec142747705cf9af526e246b281eb74915741eb3af6208b4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b8972ef983722d04887a19f18f22d931

SHA1
d142cf65505160e1ce471b09c79225885a3ab01d

SHA256
766db936ee559403b656381b9d39bad83874116a8b57e5d378a1c9c4a91bcd45

SHA512
8a5f49269572ae352063f678904dfe0b34e0e0cae5ae1ba1e79de7421c593f8aa2dcf2ec6162d2feb2442923b11366f1eb220f9cc65ec410d6c6304806869190

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
d0e8bf8d23c2e3b54027dfc95c40d760

SHA1
6e1db818fc169b24fbe753ece67a46ff46d718ba

SHA256
3c5b711b84b82b87166d811f67c875fd4f2bcbbd4c61d55ef8c68702d180b264

SHA512
571ded700783e33270026a0f22a9b71c091e56f3ae34f24d1fff9efff7db55d12fcf1f13582acde7a2474b873cfc3231a1387297132a979a5d78015ab203883f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
898bd86f60afaecf1c98d27d622a626a

SHA1
4e59d615eff859af3da40d467faf56594a83877d

SHA256
2f35ad73decf1db008dd7d62d132a94b5fb3ae4248129fa54d5c252d7bff9a64

SHA512
b2422d2139cf953496c6ae223f7ad5c2598ae049da257d304311de2e117d02ebcc100052efde2213a3ffeb088dc17cec2c75757710be6e1fc87136bdd190c95b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
5e850e562d9aa9489469dd835bcf66ef

SHA1
8914ee2d1001d58376a0a9ee439cfae0957946f5

SHA256
6b22a2fb67b8a46eaa25c7ccc830db911386a0b92b17c07b41fe3596b31fbce7

SHA512
58f7d03b4962c8d6429800316d57e220615b38b05f712ce1924aa22a1c50e505c9f3867abd5199d1d3f07d2099a68cb20e169b97445c1fa393653b9331e136ab

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
40c896cbf276611efa14686985d1603a

SHA1
c633dcee995f17f975d2b24d4be140184315d907

SHA256
addf8c0fc6f58bd0ccf5da16ed0e40e117fd93c7d0d10136e3d8df8741afe998

SHA512
d4c422930d08b0c7e8597d3742b516fb9c8b17c270f9db1e50d33bca86055ada7d6bbe793f9753a040e6b22a8920d350ab947a99ecaf2df84e4180739364e1a7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f17274a0117d9f7692ff6854e8a3589d

SHA1
04bb0de52b8896ca2e5fa7601fbbf4a7f07e8792

SHA256
3e6663382c6dceabe12b6b5f700c71d9b78a5bea42ea82c3640ec95cd26b1fc0

SHA512
27fac872b4b0362df5504dce3b92b3d260b813bf9e5a180ce05abe2bd62db8c65e5729c4b62f0de8780b2faca92b3ee2e415cdf36f0ff0bf45b49f3ab9e03327

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6b02bd892bfb89d250b14b69327c790f

SHA1
da881660290ca122edb3970b7f8005e04308a63d

SHA256
7c5ae3e1ba6bc027ebdc743e228a9fbd98048f5bb38845e97dae95fb2a02a7ea

SHA512
0beca95e9753827acf523dec51e319ccc347546f27071219188cb6ea87071853670e5c15b0df082073f3bf9ca964d77f5fb8db8eb28de6b298b7b95cbbcb3495

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
7d85d44bf13196288cf332df4da08ea8

SHA1
22f6a99c7e40308977dd1645b647d94e8d108d21

SHA256
70ec72928b054a52ff2c40f05411f7c7e448c40faf0e39a38c1e5275236b4467

SHA512
d8d41e148e7e8041eb86dec5b5525e3de27e805a1b3ba088849dcb865eac3041b7b04c19b1107e9b8ab77e81aff210bfbb877598d39810e761d3b776109c3d02

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b72a41e2b0643216005ea8fac0ad1580

SHA1
817ca1e808ab4682e4c88189c7a1626581df7047

SHA256
f8f681e9b6ae7a2d316a0ac9ff67a6c8ff9c99784a5b5ab448e763a887bfd5cb

SHA512
4eeb1a1a2000b7899bc9e2bb8945155304c90e8187fc2ad061882c2e82f340a6655e3554d585478aaa31e84f62d4baa8ef375a5a74c37e850068fb961d4930d0

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
524a8ed499579d65f35b51cc526de648

SHA1
b0ee34f512b2583fa828a035cfede38afe1dff6f

SHA256
db874e3a8caa0bceb004e8c558f0056ae5bfb0911a3dd876ad11e6f87ccd9cc9

SHA512
10244fa7f02c5639083654cb550245c87103f046b40773842e8e85ecfe786d76dd559d2c0237b027c32f1c258e16233dc50a42a55b4da1d83e680000d2b1ade4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
19fbe5f59dc1c76e92b84941933351d5

SHA1
d448c92a69b7d266c586da4a7becaf89ca39d8a8

SHA256
0c2bea36b9b5a2019d2706f0ba14360508c203177177679b30e6131e4f62fb2b

SHA512
17f1ec153f255d85a9643f9f3957e26e2dd8d0ba7b3a6a09f2b3b41169df7eac77f8f3f8ef4773c486644736554abae2d7a2ca3831d1cdd21180683928f4ff5a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
56a57b233d0c35755cca6f18800b4f30

SHA1
b5776befc7125ecb2ad6466ae213ca896a22938f

SHA256
85d41a8576b43dc7bacad2b1a1d1854591ef8106816582d6a362b5e8c9ec0c46

SHA512
1255b8ef252d624eeb2a480db90dfdfca5e850621f070672ca6ac6f89ad1a353cccee3f01bdfbacc1ef05e945d8a8515f1fe155ee7a267be71ec91279590e563

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
092e83e46bf240c108243ce5448e882d

SHA1
3d474e4b16ab3fb9c65b1e70b29bdf4e35bd85f4

SHA256
129fd846ac37cd791bf8ac347184e2d4b4cd8fcbbb0449b5c39d2dc36c61a924

SHA512
d57a716f3d44a1754709b55e00ecc95b423562b42e6e97e2c4fad0b70f0e0d7bdf611b359bbb1561c1b3b242bb756a60a3d157fb32a62a95c29d477bad601276

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
e12063cbf442164692adeda100163309

SHA1
47e4e7d86ded391276925b799f712b8469a68b5f

SHA256
8d78676431dda21ad0fad043cb5145e918ab616bbdc0222ff2f1abb04b255b30

SHA512
3af8219396980f807b7de8b1279fe47a34fb941c253b0a4db237595547ecd3025a4da1d1e6aa5e4ca4d08bc2b11147abd74e4b8920f70bc2735b1afd9eeb61f2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
64aa193bd49df60bb8147c0f1b7d4463

SHA1
9509387617e5cba0ac38b5a5ff2687731e448bba

SHA256
7addd49bdd003a19c09bacc8747d87ceeae3f6ac6d953e139fc6396b16b34c18

SHA512
475afd3e72c1e533a54c7dce452598f5bdf36d6f391e02f5cbf24d4e13ebf12619fb7e4c7cd0c7a1941930c9cb987c7ef4353d105bb27198832cef6b4307b61f

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
b2017bc1ad588db6593742f6028f2b8b

SHA1
b78a7d3575326f7d3c3b9d0e588cf171576fb803

SHA256
30cf58ccfca0689267931d90c8e331aee3754f9c101476d0ecfb9f87e1ef6af3

SHA512
66af70621d5765a0249f61f175113d36649c4ee50a1a97a88af67bc335d22ec9a7141cb580314b448439f6ddd37577c894403ed5de32f2b9bcf81c5e0f24f270

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f2306a769227d9552e700ebaa2342c6a

SHA1
90b1c0483a96931735131b3e687b9b3e991116ee

SHA256
2d5625db173cb264620d5788d976c76a57dde529196a402e3dec290f61d3af9a

SHA512
99f30a32deffeec30d61870ec55c8b8a6bd9f55abd36c475e0e2273d6f7baf596f557291678f499595eba7c389556c32edef5ee186a001210a71b311282146ef

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
dc8e6bd4642ed2d0828cc6957fa8b3aa

SHA1
42f51e9259878af1a18b92460d011b836fd9fa90

SHA256
f2ef08622b0c53572fd819b5233b587f19886143c2f0b1d44f1bc3039a52283d

SHA512
fb1abe38bdf59560418f10374ed7dbe1ebb05b6e0febfbd92d21c31430e1e4186341a47f99ced3a2f219464a12e907569b207df83cc30ec06351251d587df9d0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
4a5c4e1c38f0128cc291dcc6a47c77f1

SHA1
35f06016fc1f15d542801147d02833193e1dab20

SHA256
82745f39069a8075c36c4ca61f71128fd3bb5885c93502a0cc46e631b9575417

SHA512
baa3f126e996842d4bf3353ae633e38a06c012d7fcba0bf17fb95e5bcca83426fcc34dd6168b079e326a18a8ed37b8c81d909603f3cef8964e32ef63705e13a6

Download Submit
memory/1140-258-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1140-242-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1140-327-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1244-65-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1244-98-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1244-95-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1244-57-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1244-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1520-30-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1520-111-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1520-15-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1520-16-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1688-144-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1688-143-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/1688-127-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1688-118-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1688-115-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/1784-197-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1784-291-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1788-93-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1788-12-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1788-27-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1788-11-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2036-369-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2036-376-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2404-173-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2404-253-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/2404-160-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/2836-185-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2836-176-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2836-277-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3016-234-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3016-311-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3016-224-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3852-7-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3852-1-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/3852-36-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3852-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3852-41-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/4428-146-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4428-54-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4428-46-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4428-45-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4432-91-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4432-70-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4432-72-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4432-110-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4432-106-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4484-203-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4484-209-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4484-304-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4484-296-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4776-100-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4776-102-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4776-195-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4776-109-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5028-148-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5028-233-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5028-155-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5212-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5212-265-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5212-279-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/5392-353-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/5392-293-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/5392-284-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/5432-396-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/5432-382-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5576-367-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5576-306-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/5576-299-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5684-324-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5684-313-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5684-320-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/5684-325-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/5788-329-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5788-336-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/5896-343-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5896-349-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/6052-354-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6052-363-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download