dbe0a86f38b3c2dedf9a922e82d9b7e18a0aa9edc4881af5f97ee8e3c37d9014

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
Size

5.5MB
MD5

668cb083fed44ce79bb926286c4d4e56
SHA1

e655f6f018422e8e12388b6e74e0c2357ada577b
SHA256

dbe0a86f38b3c2dedf9a922e82d9b7e18a0aa9edc4881af5f97ee8e3c37d9014
SHA512

607f56403ece1188909e71b06ec6ffd4183fbfa4e938eee271d04bb9e588891d42c223d1b12078f6344b754bac595d7dca85bc131110b45f189515e9df08a23d
SSDEEP

49152:5EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf+:tAI5pAdVJn9tbnR1VgBVmGDb0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1196	alg.exe
1524	DiagnosticsHub.StandardCollector.Service.exe
1700	fxssvc.exe
4248	elevation_service.exe
4012	elevation_service.exe
4692	maintenanceservice.exe
4584	msdtc.exe
4852	OSE.EXE
4248	PerceptionSimulationService.exe
2732	perfhost.exe
3792	locator.exe
2388	SensorDataService.exe
2680	snmptrap.exe
5148	spectrum.exe
5404	ssh-agent.exe
5636	TieringEngineService.exe
5772	AgentService.exe
5868	vds.exe
5956	vssvc.exe
6132	wbengine.exe
5248	WmiApSrv.exe
5160	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1ede5a8b74f8f84a.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaws.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9f3f6bd2694da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d759bbe2694da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133582032984499303"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f5418be2694da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000344e94be2694da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a61bfebd2694da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6e1c4bd2694da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da6acebd2694da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e11299be2694da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075191dbe2694da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3728	chrome.exe
3728	chrome.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
464	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
5540	chrome.exe
5540	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4688	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
Token: SeAuditPrivilege	1700	fxssvc.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeRestorePrivilege	5636	TieringEngineService.exe
Token: SeManageVolumePrivilege	5636	TieringEngineService.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5772	AgentService.exe
Token: SeBackupPrivilege	5956	vssvc.exe
Token: SeRestorePrivilege	5956	vssvc.exe
Token: SeAuditPrivilege	5956	vssvc.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeBackupPrivilege	6132	wbengine.exe
Token: SeRestorePrivilege	6132	wbengine.exe
Token: SeSecurityPrivilege	6132	wbengine.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: 33	5160	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
4668	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 464	4688	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe	85
PID 4688 wrote to memory of 464	4688	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe	85
PID 4688 wrote to memory of 3728	4688	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe	87
PID 4688 wrote to memory of 3728	4688	2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe	87
PID 3728 wrote to memory of 5036	3728	chrome.exe	88
PID 3728 wrote to memory of 5036	3728	chrome.exe	88
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 3768	3728	chrome.exe	92
PID 3728 wrote to memory of 4972	3728	chrome.exe	93
PID 3728 wrote to memory of 4972	3728	chrome.exe	93
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94
PID 3728 wrote to memory of 1592	3728	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Users\Admin\AppData\Local\Temp\2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-21_668cb083fed44ce79bb926286c4d4e56_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2267ab58,0x7ffb2267ab68,0x7ffb2267ab78
    3⤵
    PID:5036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1916,i,5197789246779964802,9013777345358890147,131072 /prefetch:2
    3⤵
    PID:3768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1916,i,5197789246779964802,9013777345358890147,131072 /prefetch:8
    3⤵
    PID:4972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1916,i,5197789246779964802,9013777345358890147,131072 /prefetch:8
    3⤵
    PID:1592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1916,i,5197789246779964802,9013777345358890147,131072 /prefetch:1
    3⤵
    PID:2040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1916,i,5197789246779964802,9013777345358890147,131072 /prefetch:1
    3⤵
    PID:5084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4184 --field-trial-handle=1916,i,5197789246779964802,9013777345358890147,131072 /prefetch:1
    3⤵
    PID:3960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1916,i,5197789246779964802,9013777345358890147,131072 /prefetch:8
    3⤵
    PID:2872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4180 --field-trial-handle=1916,i,5197789246779964802,9013777345358890147,131072 /prefetch:8
    3⤵
    PID:2744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4812 --field-trial-handle=1916,i,5197789246779964802,9013777345358890147,131072 /prefetch:8
    3⤵
    PID:3952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 --field-trial-handle=1916,i,5197789246779964802,9013777345358890147,131072 /prefetch:8
    3⤵
    PID:2228
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:3520
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x7c,0x244,0x7ff78002ae48,0x7ff78002ae58,0x7ff78002ae68
      4⤵
      PID:4380
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:4668
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff78002ae48,0x7ff78002ae58,0x7ff78002ae68
        5⤵
        
        PID:3136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1916,i,5197789246779964802,9013777345358890147,131072 /prefetch:8
    3⤵
    PID:5128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4640 --field-trial-handle=1916,i,5197789246779964802,9013777345358890147,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5540

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1196

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1988

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4248

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4012

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4692

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4584

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4248

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3792

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2388

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5148

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5464

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5636

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5772

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5956

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6132

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5248

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5160
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5252
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
59fbf71ac46a51a46e30e3e37cadb852

SHA1
49332a23a906d4fc396687b48d76269c7fc2ad62

SHA256
f813f2eec28f327be2b3cead7fbba5556a5d5ee908f4bb49161f94e41214be2f

SHA512
3e670fdf950a01954fed125325457a4d1f1c347056de1f6e108388be4cb0400fb8a3e202d35243a844c5d616aa562e24bc532ab94f2ff74568e7e0b25de52da7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
635eaf3d1afbdd896a4adf9aab5dfb4f

SHA1
5083b5c50b1716102a27c78534f8210ed4d107e5

SHA256
24790cb74347ee3ca93decba5cc0b80c8368e37c4c22a8baafc3d5c2afeeb779

SHA512
4f225c3ce3c3aed5e4afbe10c2e5c30764fbdeb375d553c822fee017e01f22186c580870c6c103d6fdffc5c26f69f0c81663e41dc9a77737eefb88a437ef452c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
396292909061fe9efcdda61cbdf6e90b

SHA1
4a424ef2e071cf2c185ed052b93c42b7f73b9f99

SHA256
08f484a77aa27688a9856e95f95b4e32b08db4007e03eabb41ac2a0d1aff7cc4

SHA512
77cbfef6cc403b556df18d0545606908245452616b6bb09346fc8d20252630f3c21cdb1bdb39b912facd1fb17a02bdc468fbec338470dc348e86a30ffe20c451

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9110c24e466ed3c7eb6f787459b1606b

SHA1
737f95767752f06cb870c6aa605f394bd80023f6

SHA256
c470fef1a28cb1cc535f30a96ade8c7a3510597236f3698f30adb77490abe5f9

SHA512
abfbf65ef6afa3bcd6be655508596497211304a05f1be3f281839c47f007e79da99aa932878d33d8b66681fcb403b653a66030631fee3050160c545a51a24d1e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6bb2c45bfe23ae61b83bcd440f293236

SHA1
2c1d79453f3c8a24585e76977d1da30662528c65

SHA256
0686dc8a7576e0b1ee9445fea63b962bddb6f9a03bd6e3ea097b3831e0b2c976

SHA512
5c3300d95182c72e63dedc2e0d087dbdcb33c5ae5e4537ecb2259a4513c4c5797389d7f161658a15f6560ad5e806f19141b7d4ac3b54cb791dacd90edb7ff43e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
8b83b10d8c4abdf83f1d84945cffa43d

SHA1
88a149dd1594a8ae8f54b3131edb70e41d6d8868

SHA256
24aad8e3d88929276644d28443fd7626bc609b17ce9d706a9e5581f67711628f

SHA512
9d756c7159d21d62c4c4d4cd5d75d566c33ebf7208c093bf9e30f40ecceb1b915efcceccb0ae93588bef5791447b5c215fed6733201e2c33381406c3c2ba5e4a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
5e0a7e2efc31a4c65ad197ade07993c5

SHA1
190e499905956299f8118ba58e8781284401a29a

SHA256
fc2009200944ed4169326c8ae5ade72764d355ecba1d57a5f8cf718625468677

SHA512
433370a3f2a186cb2fbfb52aeab826264d4c318d68fb036458b3ad8d2558fca278d8eec78285e64a0ae5d6d15ffc4d7d66b6c3193ebd7a8718e13052c8abe8bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0eeb443eef99cdf0149e2f891bc76fd5

SHA1
db433f92039f7e86801396c282150d361d75b3b1

SHA256
1c8024479da9157460a2505253cabcedda25fbfa1c9cc5d0d141eab45c255132

SHA512
18c7ad615109b4cf1814e66c834471c19b647c1f96b8ad63a5ba6bd3e35bf49a6bc3e0158367ebcc813629672a9514e2e88200cf541de18f33a84567ba88b4e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
34faf16871950831f0a82fab79d6d9c1

SHA1
8699a56b4f0584030476ad0dba5229867c97a0e1

SHA256
446e387e9eb50326607ed3ed9dc0ea7c707d76ce865bc96673194e195da46c91

SHA512
6e01c6dc7ae41293271dd4b8051887898c4fc673f988c33e072e53cbaadeee2225269d8c2893e38a512242ebc5d6daaba7e52554600a94f709c0d2a43bd9c14f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
484cf444c1e42fbd38d3fc96a0d6c841

SHA1
256d26055686620fd5c39215025308e605b35bf8

SHA256
eed4f395d2dd75e1c0e8e9a10845b1919c7b8933249fa94755673b551e8a027f

SHA512
b79d5cfb6974ab0b738b5c87dcecb0932093cde8c762b44789799be3a984e8148360cea84c9db5310b2f5f49f74867b3335e97d4cf73578fd18c700fce40f28c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
32b137572d765f6dea3a5f1d4b486d05

SHA1
49adc2686b79fe40122e0e85ddb6e1992106b46f

SHA256
92d9ff2bf0d7f30cca63a30cd879041d796cc165419a9e73548edd5fd28782b8

SHA512
460f879ac4449f4d4bdd9ad10d82c57aa4aaa19648612bd209207967ec6e350aaf8160a0f6961db906dd845a8432e00418edf0161e4e830c1652492e8cbebbff

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1c8e3d751c4c0bbcbc3ff8a92be3fb59

SHA1
410e1eecbab8b1d0469083226531dd887c7afb2b

SHA256
1fe80d87589291e83418ea1bf5d25aaa48d5938f25083b6c64ff9cd99cdaa43f

SHA512
ada9d08759922f7da0fc48fca6deb91136cbf8ed35cc6147e06ee0cf6177d44efb6dcbb22098113363a769511d94b061be5f17766cd4ec216dcc3493a474ccc0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
d1959a5da8d513ce7643baa442ac92d7

SHA1
c328b3aec9a5e4f8f898d4a8d73aed7ba796519f

SHA256
84d272b192900c784f45abe1b6a56e9f74a15c105e4d825cec6247d6086ef41b

SHA512
cefd8ad99309d44ff7879a35c3011718ccd17adcb88cba78922e38f7b985eca31827e4ce779e10bc45940a09bff4bbdb8dd79550851711828126570bdcc2cf64

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
b2be7d4f2cafaf9632bbba8042a6943c

SHA1
3adeab3ee055d96d1ed19880c013bd3ff93e5fc9

SHA256
009e106db6beffdec55e4d644682c31f1ccc7d69f3a17143cf1c15e1349f24b1

SHA512
dc35c9204d83f8b290f3b0fd1e91e09eb54d9e65870e3f7fe75b8ffabaf2a879a8f39650596ed0ad42ac6705fa9b8a203c6e726dcb55c34d759c8d8ad98ffeb6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e49b7d19a3c039781c6d1853c1046515

SHA1
413ebb7ce69cd3193a71f2e436ba63e63794cf91

SHA256
90ceb42c6027090fef0a11b4c7cf7853c374f113724c4a7a70d0c6f4da21c632

SHA512
2f903d9df701d09e6d7453a5a817600c88ba02e237698328051e50c8a4f0372160570ab3094c5efe7ab620fd6cbd05182cdff4494d9b24629355eafecde6067b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7750e41f9f17394b3a9f135fe9f5d84f

SHA1
fcf0a77a3fc75aeaeae1d79f1c1127242bf4bc94

SHA256
7ed64aa7745aaff2f41cf749aee205aa343525606b3be1e571b2d38115c5ce23

SHA512
0e43f1011b5d2b2322f6f83c1e7d00df5ca0b69d8cdccaf76fa2b9231338f71569050c5526a76c06a689e245846c2f7b6eef1cd66db3f1a69191b511f98876d7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
57a5b9e41bc62f39c6e7f88b57c8cedf

SHA1
22bc9508176866a5aad198f46f5c20e0a05b7235

SHA256
1550af800ca3394800d7dd08982a552c9b6d90e0539f6d42aa0c3909bd5f407b

SHA512
7972df2f4e5e02b503495497c7a03612d1f685789610941f33658e45b9bb07f64090132d82e0102da84647a14e71b79bafee159ae0b48ea9ff6f8b55942c7a90

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e53e76ea626b89a8f66b86b3ab5cf708

SHA1
0d4d0aa433287e3867b409bbcbcaa5bac0835bf3

SHA256
ac233be8774776e963fc270e87b946da06a136592289df3543e072c8d65c0b85

SHA512
7ed7bc5124bc18af26a005d2fed222bc8cb29f3933ac7fde42bf32bbe63c3f1d53087591de8e9d165e2396b41fff1e5e98a81bf73a6b7a2f08f75baac483ccdf

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\2c41aac4-835a-4626-9061-8b314047e712.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
cc21549f94e72f61916512c8037f7527

SHA1
383062fcc7c43107155cc45cceee77437e944948

SHA256
64f21537b6df464a66a8804f887f9c8d2e292652b6b66edd40da2d34ab27d82d

SHA512
751671e8a4e8e175bd5409196194edce9c7adde807b36409e864d12ffc75560a5fa44cb18373bcc9417f4c149ddf51923bc01434cb23cc3afd5bf4438242281a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
6fc86f36afbf163b212b12da1106aca0

SHA1
836e4359b3778e168d7fd355f39532c878ab84e2

SHA256
fce72a3a35d87f8e45cc3fe95bf1f857be131e937f94451b3a8319c4539aae3f

SHA512
30fdeb1e1c7c9309801de4b3b9b6de8f259bb48d419014d072bc4a08ae437c795a7ffe8167fea8524dbe97c47e1e13cfd6ec606d1218fd839369efb6a0809948

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
58bb95b4094ea52340b0fa368840c9a5

SHA1
03e801a2f4735f3f47b6822d4660e55210e56567

SHA256
65d15a1557409d3cb361251a31e7a620874bd504e12187d1260d9b80fbf6b235

SHA512
6931e70506a094e390cbcb45ae3bbca25ea54ab1937d6b5b3443890c5f436f5ee04dd587605ff1d7055f4f810d3ac690e1a42b39020e242389dddbce5f7b3deb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
34c2a859f96e629d6bca4fdab76992bb

SHA1
323db29bad80632ff948059458ac1f9f39370989

SHA256
b58e3167a5497cab9215c304411e5d2f5646ef3dbc52896a630a48e685362fe7

SHA512
26f3e35ccbc5fa548c4d5a1f03fa8c9209c0485a3a7f461e3bcfbd89c010fe88813111cdd069afecdb9138cf0ae67238824679825fe9608dd0d81a7cead14f83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
18302ee259186449603d8a0a44f4aafd

SHA1
2679475233c924d065c1d13590a2ccd1fa24b2f0

SHA256
42b94be2d3ce0134153546ba3ec9048fbd48e7c385d26b8bbf27496ecf7ce344

SHA512
ee2f9dba21a8480502e6c3a4d0c3d92b503fb0f5f7e1e35b30de0abf71ce0d49fde5589b08c924d35366abe03a7deb732b98bf7ba48c224f72e377aaed5290ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
37ae8ada9288059e7a6b7601e42764a8

SHA1
a2baad8d4e4062ccf28847cdd9679c3b0008785c

SHA256
86919fb3eef6ebbb4fb81b756ed056d47d1d608c714c408962d25cb7d69e6bce

SHA512
118d0d11e5fd17e56fd5689785dfa810df6acb8a470f18c694c64fa370ba4a71201c1e1c631e787a29149f9575464ae091e63adb4ad5131f2ea7db21349078f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5784a1.TMP

Filesize
2KB

MD5
8df20ad2489acd1e7f8a24fbc9a8362f

SHA1
b37b2bc2ee82f0b39ad3a80f6b15ad382bfe6c59

SHA256
6ddca1715870af630f7f8e66256978606fe92341934e897f0db7e5182bb39389

SHA512
8253fb905874f333413b730cbe021576a9ed2dabcdcc9c99400a8ee22792135052b60718defdf45190e05f3b4a70a95bab0a328a2c6d1ba9a095eee0ab4dc112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
b146002f058f9fd843cbc75b34f8e4b2

SHA1
d6c5ce30f4bdf161b43aa2bcdd1a82ad3a112437

SHA256
6f6396ad4a21721109c60ae313544ecdae34a1e77d7156304a37e2d521c40a9e

SHA512
6e01fcbeaf2aaba6470ea198118d2accba7f271e3ac652411960c61640dba4a4b2aeb3310c9cab6a31082ad81793dc2bcbc4f086b6446c441eaa2cdb86ba6f9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
02f7b4ecc4dc1fcbd6d164221d9b4379

SHA1
ffbca420d7eced735f2b59abe72c526f9bada856

SHA256
264c7e0036fdd7207582fa29d154a6ee0c7d232a176c1b91f6ade4070b002775

SHA512
94548a55fa477cd35686b341b09bebaa1e9a8e9c896aad54b6d54111ac4261f4018933a50388588a11f25893fc7a3ce8674684c88a8e975f19fbfb003e2ec52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
911b8cf27509268d2b8b2b9180938b03

SHA1
441d143f649a56b7ad583d0c64a7b0d2bea50b47

SHA256
eb80af630f583294ab3d353da8425bb701828877a7d2442d1ac2bb4337306889

SHA512
48d10aa2dad2fdc2f131a963347d69193fa779f765066eec5c2df436baee5402ad6f4507dcc627d357125263d78d8b7496d15687e97c79934b486173f485fa27

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
912d0674a903476569bba77536f734c7

SHA1
3d77fcac2663e61c6e2b092f4efb28197cea04f0

SHA256
8ff3a2f64cad3ace1439b596c909e64e6211ec4a431887e5f5e7fccfd41f02de

SHA512
e75ed24a73663351639ab732af2289117283f98797fc40de0de9fa70f9886019c49cc8c676d88d7a40b88fa9bc4acc550750bc0cef940cc7fb5d1f22c7d2db6e

Download Submit
C:\Users\Admin\AppData\Roaming\1ede5a8b74f8f84a.bin

Filesize
12KB

MD5
1ba3fc9fb483bd0f8b8f2264d425778b

SHA1
cd7ffb7924f2eb5f3302fd70aaf68d221d02be60

SHA256
ca3b9fe0209044738a5b5f1d8d36ee3da8e36f006f7953f343e6baa8f9f4d4c0

SHA512
a56ebf81e3415383da24fa88eb90c02f6b0268d4aead72b7051b1c6a343e517621fd3f3e75a54cb9fb4d2e6cf71ff1717baa2eb7386772e576d6413744fc95c4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
9e4c30d01e192efd4ce3816da4c67734

SHA1
142bbca3de8cb99b309087e36bea57da7f8c9241

SHA256
a45675c3efc8cc9f5ba7b64a583d6c789ce204c260d5fce89a5d60d6b4a3cd18

SHA512
3e1fd88d6081886883d2731bcc5aa0cbef35a9946afc9c11478087a4e0a823f803e768ffc447fc146bdf3e1b20e0c21102d4a55fe8b5c906ac10e7c60ba8bb66

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
59bb432d1b701c8d45fbd575433d5f4b

SHA1
11b0e0413d127b813514e638474f577445ccf309

SHA256
8d2c6fb7a011b64d16d445332d94b9a60d5c6b398c952a15cab9313cdde84f1f

SHA512
cb27e6eb228ab7fa0a666788f3347f6bcb008b4f436fca18947bdb87fc35d84dc866e3397ece448425245a3d7422c5f7bbf9019f38d31394e552a9b9483473a9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
1a1105092122463c5a3d877e179443d7

SHA1
28eef6b7532cafc19d7705250bd03b73de4a5a3c

SHA256
be8d4fb292d88c5f7b77e1566aaec97a3bfbaed420814bbcbcd51e9d30c48647

SHA512
cf46a8ca7339b0f05c9961bbeb6396d0522dbb0832d6a0a6190565c975faa1bd81f7fe9bbd2b4bdea6a5bd1a459fd11608c449a163ccde47bc70136c4bae143b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8856a603b5760813298fa07ae960e8c5

SHA1
19877429dfb75216876e5369e8c449dbf4fd220f

SHA256
6b5542b9249da14967f46ced6c4219c908715d11585dd0b4ff6416363d773fcc

SHA512
7949c2348d99ba257898bb8a2788bd2da4bbf56146660fe8420048367a101f719b3ad9553e5cb99eb25ae6c661a0fbb3ad50db67923bf73585511a7e8cdf5d7f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
786dcfcb2858124121c37ea0223e424e

SHA1
58125232de7b854b21f37b01ee252f66b853bca7

SHA256
139a9a3049a5c6144bde72b409439cc8e9704ba9dd924b76e0713946b7de5654

SHA512
0e9034cdc9e807819698eca9a5f3d766c86c72faa8c4915de448fd2964538b8b30406022a05597a50f331f22d4a46ce73ec0e81f13ea9af6e7e521999e033247

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
177f13b392ab92bf539c30653cf71438

SHA1
73252c0b97fca84673290689fc9561207723ab33

SHA256
04bf7a438bf6e896898b488a70e4a9419f9fb6e5ae74f6d1fd8f18c60112014a

SHA512
0e267392611725925c45bc8f7f9769318afbe20aa51ccbd55529ffec16373b1447bf999bab796a29fecb8cffb4c62af375ac28133a6466e0beccd7e1e7c0abde

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
58ce07fe2f23370c2078cc666b41f063

SHA1
5666b365658e81d0fdfde40dfaf5ef2338000af1

SHA256
fbfa406cc2fb2403a35081facdbf5f0c5194b6b105d39d691ac8c396c224dbe7

SHA512
709a0b93546bf5dd8a879643f7146f6e988cd1a1b407bc895b4a51d6b132e41a13c26366ffd8b680172927d5162eb96a6e7a07431a0900ba71eae8ae89bfa1f4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f2c386c19c60eb2f00ec8713091dd3b8

SHA1
67ca5247b09fc4e0c4e40c36f9edfddcdea80c7b

SHA256
f455816ed03ce4fdbed549b027f2b15829e017453bdf845807006ef283733de0

SHA512
9aba543f7da88cfb21f283889dc711e4c86e1db0181b28efec7f44c0029dc5779d23749f3a306864bbe4f4dd8826cd4c862c0655eb9240ab84a3b97747a6998a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
521ed504f20c2cac5e2e02c3f4e36667

SHA1
200cacc0a650f3bffc1b540471df68be18b7351f

SHA256
987f0682f3f4194585b0be08c5a395a6a45fd25b0a55517b9befe4663df7214b

SHA512
3ea8935e74efe561f8e0683b3975c382f2c8ad2ced299123b957ecf973448867ff0f9f3e1d5e86d2497abe40c23619148f2361f8ac765df80af8b96961426a37

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a944b46377c11e6bac0c4b11b27a6562

SHA1
a8d5ef905cc837ea309a52e598b8b00e8aaa8045

SHA256
3a012522234d3c55f6082286d0e8f7409a6d48493fcce4480cd469e4a5613bcd

SHA512
7c4788742e3619bcf1f3607134e3a2d7dfec663be427656dd2268f04330cdb2c6d166118f750fe6556ccde29403f0fa0b20e65e62202d105016af2a048553763

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
b1ded0ee894088ba3d24056093b136ee

SHA1
f0e6caa9105f76ea61b5c3f26a301b81e92f8fb7

SHA256
e81e1a81e32f9cc8205fe2d1304dbbd13010d423ce83cf4bea0d0b2e4cfbef3d

SHA512
65ffc5f848593c68857be6a69974be3f2a83061cabaceb54308677e310ae2bccab68463f328b0f4c39fc1a9b20be58326576952dfbf60cc53af83f804d1bb7c2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6f5ba9bb475afe4e808170bd43e23b3a

SHA1
06f735c20bfde9e3fed46a77525c378eb275d8cd

SHA256
2e43b3847973df686601abbdee1ad0cbff10723132ffe866ddd0bb791220b025

SHA512
bf1f06c0a35182a9fea167896081a3c9bc8a685e03c04f065cf169fa4bcaf96be87dd6a706b820adaea70d09ce36a03831108814048da2c9165f3bb94be3f561

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
40661d2a2f728852e1a548f1a037ac6e

SHA1
2a91324c20f92ef144d4532601e63b65662e57fc

SHA256
93d6a225896136b4c2b84d9d19f5a16208f2e462412d2f7ac95adb939b40deb9

SHA512
99d88c90800b756e80bad96d71c47b10f7380eae83fdd386f36e5432a38550d91e2f5049894a87ca8de7c807897ff1bb7fc2efde38e4a34bc323c2a8f5177597

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
50c319b718d4ac70c0f7c61a78e27f14

SHA1
79fb979ec1ead556765e848e5142e43039445fba

SHA256
c9a3dd1fe7a05190cd4ffada6f78ad1e8df77f423c9758ef1612a66fdac63fa6

SHA512
6307c90e72c1522b35b6465fa4d44776d7de49a1b01fd70c9c2a5d4364f85a0dbcfe662ff405227e0be98a7a40921603994c1f7f30bb07d10a10bb3997324607

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
f1720a72f6b600fb8bb073c697d402bf

SHA1
374e7ac1e383344a6805c96b08f08fffbe6f2095

SHA256
eaae70135b1d304a3e7d91f7c6e86570b0fc1ca57b2593bbd11981bd21d4541a

SHA512
17f7a7a8204ec7d22ac56cc26a759f5a9475d4d2a3d01ac2ba071df928a40b6acfe5b940242f01255eb43968eb2bb1c5cc02f2e446ae5296777a95b9e5b9de53

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8381c98725f9788c1702ee76c19328db

SHA1
c855bf6053364fe027dd8bfd8bb360da3514df51

SHA256
21786507fec7d65d7d2620fb570054325d6f295bac7d4d0ca7256c9a7477a478

SHA512
b5d200a9565802b9c6aa58cc4fe3e1566bc2f850d350f5806aa9142419f59ced557b7010740bb66690fd353788f82d4bf67cba1d38a648467fba10628739eb56

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
9ce3df22df8fcc6b5bf033030128e8c2

SHA1
848af7916df568a1bfbdf90eadd3ceb75de3099b

SHA256
9705d362df9fb339be0c3532e3407943857153c940bc9a7f4fee0e1969ab2b1e

SHA512
60488fb204e4cd42a910a3f87604e70e727b0d1c71346b6639d4f19eb4e7f5e6abfeca0c1f07b8855755f6f045c2610ef0c716bf2c6ee0ca67e304d9526f49a3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
93c1b9fd5b64627e1ab42afbb0faddad

SHA1
97791b3c718e687723aec7d6d512ab76e788d6bd

SHA256
d7ddfe3813bcc4341219d5c0a2c43501af78ebd319c933442d5db62a360e8e30

SHA512
5d4f37468d6b9bfbf19c2ed3436932d9444ad1b4cc1b8948bc63380064af95216e963e95c948d217585138cda2f8fe07ecf4b49d3522d07b98e5da9dfb77b03b

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
3b8d3a35700899dca51806a9163fd5ec

SHA1
4db812d733d8c02137d7a8deb9b824a4ab2739a0

SHA256
01a6c427ddc33ab90908295320318314e29ab1177ae2eded82911fb468c8cf69

SHA512
5967d3f4e5858e70239d44c767b51e35e938cec750eeda8c95c5eec6cf770419964e5c95a273fb7239ddea292feec74b66422fc03885e7eead77368579b10bec

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
26f25ccae96771e2663ee6366ee6e56c

SHA1
8507469c7ad0a9e91246030a5dbd155582793aa8

SHA256
328a2e1b8ba1f33b717e3b6aa5251513ce23e808bfaf1fcf8f1881b9aa4c9f7c

SHA512
9603a6856bf41e3dbc8db273b415190bc92dee61fcfdca4bad17544cf01f48c721400cf6fccc1dcacc58b58cf6fdbeaaef4df4cd5eac01165137e803e5400409

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
01b5a7aca8153dddb46b9ce5fdf9b1f5

SHA1
d6d047596cc3a5983db5a1299d7e2ebdd2c22454

SHA256
23c508febb5ff3a9cb51a2090794e23433fedfb9543db652b5755ccd105d97d4

SHA512
764cf05e83febdd21b9934bb1231f8cf804c85c10b1a286387a7099d213aced3721e14d10b32a3cbbff029a0263264c8e1d14ec191341aaae9da8bc7c59e5414

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
d025743ca9719ef05b535f91f8d21c9d

SHA1
680580a3a37cf7ffe452962260391544961872e5

SHA256
773b1eeade6d12c602ff4128fa21210837213bef62b4a984e1f19bc17b25e25b

SHA512
6bb21744976bd835d75f0bce90f20b3408688cd2b26c6f0b4e89b31c911380bf66c9ec9960f39d3645cd0f9e73483904010c1ee62fd604b55c9b1e8bb8479e8b

Download Submit
memory/464-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/464-25-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/464-12-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/464-100-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1196-19-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1196-102-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1196-22-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1196-33-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1524-153-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1524-45-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1524-46-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1524-52-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1700-105-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1700-108-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1700-80-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1700-58-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1700-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2388-307-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2388-225-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2388-216-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2680-243-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2680-230-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2680-324-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2732-199-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2732-286-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3792-212-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3792-292-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3792-204-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4012-90-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4012-104-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4012-191-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4012-92-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4248-85-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4248-278-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/4248-119-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4248-113-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4248-261-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4248-86-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4248-192-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/4248-184-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4248-97-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4584-224-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4584-155-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4584-163-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4688-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4688-0-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/4688-31-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/4688-8-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/4688-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4692-149-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4692-117-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4692-116-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4692-125-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4692-148-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4852-242-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4852-180-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4852-170-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5148-249-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5148-337-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5148-262-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5160-379-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5248-371-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5248-366-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5404-351-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5404-281-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5404-289-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/5636-295-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5636-301-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/5636-364-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5772-316-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5772-308-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5772-322-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5772-321-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5868-326-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5868-334-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5956-338-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5956-347-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/6132-353-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6132-360-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download