72ce938a6a50180f31fba6ab5406273e87ec2be02275c8dab5ee5c866c587195

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
Size

5.5MB
MD5

6614bd863f817d712a4bb73c8ff1a281
SHA1

c2dd63f0795905cf0ad8879b304c9faf65ed0d01
SHA256

72ce938a6a50180f31fba6ab5406273e87ec2be02275c8dab5ee5c866c587195
SHA512

2c2f5dd027fc2ffe7b3b2e702c7159e1d26547ef318aea772e9b3746eb32632d73e7c549f189501889ef4a7a4d8c9597562abeba1b197d7d20c809cbd11779fa
SSDEEP

49152:XEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGfv:DAI5pAdV9n9tbnR1VgBVmkC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
1520	alg.exe
2516	DiagnosticsHub.StandardCollector.Service.exe
3284	fxssvc.exe
4380	elevation_service.exe
2108	maintenanceservice.exe
3104	msdtc.exe
5048	OSE.EXE
1136	PerceptionSimulationService.exe
2848	perfhost.exe
4384	locator.exe
1396	SensorDataService.exe
5152	snmptrap.exe
5396	spectrum.exe
5576	ssh-agent.exe
5756	TieringEngineService.exe
5888	AgentService.exe
6024	vds.exe
6120	vssvc.exe
5320	wbengine.exe
5456	WmiApSrv.exe
5684	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d0673ce574f8f84a.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{01C6D80E-08BA-4005-BBC7-FA9D9019DC00}\chrome_installer.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008534ee767196da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000147e59777196da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133584552926222371"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c803a777196da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ab6b1777196da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd4bc3767196da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8e13c777196da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e76e08777196da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
3020	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
4656	chrome.exe
4656	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5100	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
Token: SeAuditPrivilege	3284	fxssvc.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeRestorePrivilege	5756	TieringEngineService.exe
Token: SeManageVolumePrivilege	5756	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5888	AgentService.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeBackupPrivilege	6120	vssvc.exe
Token: SeRestorePrivilege	6120	vssvc.exe
Token: SeAuditPrivilege	6120	vssvc.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeBackupPrivilege	5320	wbengine.exe
Token: SeRestorePrivilege	5320	wbengine.exe
Token: SeSecurityPrivilege	5320	wbengine.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: 33	5684	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5684	SearchIndexer.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
5128	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 3020	5100	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe	85
PID 5100 wrote to memory of 3020	5100	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe	85
PID 5100 wrote to memory of 4764	5100	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe	87
PID 5100 wrote to memory of 4764	5100	2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe	87
PID 4764 wrote to memory of 4688	4764	chrome.exe	88
PID 4764 wrote to memory of 4688	4764	chrome.exe	88
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 5068	4764	chrome.exe	91
PID 4764 wrote to memory of 684	4764	chrome.exe	92
PID 4764 wrote to memory of 684	4764	chrome.exe	92
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93
PID 4764 wrote to memory of 1900	4764	chrome.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\Temp\2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-24_6614bd863f817d712a4bb73c8ff1a281_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2a8,0x2a4,0x2e0,0x27c,0x2e4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0943ab58,0x7ffd0943ab68,0x7ffd0943ab78
    3⤵
    PID:4688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1916,i,3686560895154257978,7363501648489265860,131072 /prefetch:2
    3⤵
    PID:5068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1916,i,3686560895154257978,7363501648489265860,131072 /prefetch:8
    3⤵
    PID:684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2272 --field-trial-handle=1916,i,3686560895154257978,7363501648489265860,131072 /prefetch:8
    3⤵
    PID:1900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1916,i,3686560895154257978,7363501648489265860,131072 /prefetch:1
    3⤵
    PID:4608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1916,i,3686560895154257978,7363501648489265860,131072 /prefetch:1
    3⤵
    PID:4760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4276 --field-trial-handle=1916,i,3686560895154257978,7363501648489265860,131072 /prefetch:1
    3⤵
    PID:2072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4172 --field-trial-handle=1916,i,3686560895154257978,7363501648489265860,131072 /prefetch:8
    3⤵
    PID:4224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1916,i,3686560895154257978,7363501648489265860,131072 /prefetch:8
    3⤵
    PID:2708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1916,i,3686560895154257978,7363501648489265860,131072 /prefetch:8
    3⤵
    PID:4744
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:2400
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7e9dcae48,0x7ff7e9dcae58,0x7ff7e9dcae68
      4⤵
      PID:3552
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5128
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7e9dcae48,0x7ff7e9dcae58,0x7ff7e9dcae68
        5⤵
        
        PID:5164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1916,i,3686560895154257978,7363501648489265860,131072 /prefetch:8
    3⤵
    PID:1184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=1916,i,3686560895154257978,7363501648489265860,131072 /prefetch:8
    3⤵
    PID:2308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1012 --field-trial-handle=1916,i,3686560895154257978,7363501648489265860,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4656

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1520

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3600

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4380

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3104

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1136

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1396

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5152

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5396

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5624

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5756

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5888

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6120

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5320

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5456

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5684
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5616
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0efe0e11960e53c1293b90ff20e7e1ce

SHA1
0f72c4eec57c6a82603c8c14f4b986fa117ff565

SHA256
a8904c83b26a01974eb1f356185d9d3185ee3d3ff494c634521cad98540c30f9

SHA512
26d8c828bde3a4c11ca2cacde5a4f5143e0990d822408f9436ea3de662aba4f4bc3a95631db6a154d93424e232440d561ba33209f1e4ca70df402f8e06b159af

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
20ff03d582560bba4965cfbec782a900

SHA1
c646d4835140a7ebabfd9f47c8ad50dea2f27846

SHA256
a1e1aa4cd03fc680b9b90a3c07bd12e282d9081a6821588444f87ba72205c0a0

SHA512
e3ed4ab36c80608c0a9f83e62ef350259ff393bb137c8854ebc0b80b6bed3f2235051d851b144059c56dfd87abfd783d199eef4213e8d7e9f4349bc28e72aadb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
1351d7f38662ab66e2c618ab20f3b540

SHA1
04c225654693bf4bf6be8a39f7a6f69312c86724

SHA256
18dd43ebaec03a867e331282465a82bb0d50cd2fd78d1123c2cea3f91cfb7a71

SHA512
6d21d4c9620e033d5af3e62e36765fa650de96a090ac367a79c41781b44de417ecad32b6f683320b02d2b3fba4ea8efb784964a27059abf42f0936c69e7da828

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
61591164520459954a0f1eb5f4aa960b

SHA1
b39e0b3ca818d511e35f3fff3e918a342633343d

SHA256
7517aeead3fe157cca44fa3419b5e04e3f4d56c739034e489b92cece43196103

SHA512
bc84fad390da776664eb466d57079b873c227f5778c93401994f813887bd3bb69f59d17666d594dcf215059dcac5f37f93033c61c58232da604ef3816a27b5e2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
faa8859e55611420c7389be2c6270db0

SHA1
8635826fa027f28fb869756b850ea4d52f0aef49

SHA256
d406d1cb96c196c7432a9dbb6a27a9f583c315e74a93ffb01cc2c08c5d51390b

SHA512
265b75cffc953cc62a0bffa11eb8bc9471756a77e008a32a5b5cff2b94ee41d99defcb3c142acda993dabf06944590be3019aad12711b2fe85e46c3c2dab476d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
271777a5f4c5bfa1045eb2e9044e6e3b

SHA1
b48e5e6be1066e5d14d716972a55ae776ebfdfc4

SHA256
85af85cb8f61c4ba1bdf224bd86f4bcc27755a701760b851bd8e2ec6d2d490a7

SHA512
095aa23013c7627b8fb6e2d5284eed802fb8aca8303d323b90006ff50b7598bd5ac41fab76660e389fcd00e299295ca6e45a8adf997d30bdb9272cf3a71d11cb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
d9201898cc1f695d753e386a33268080

SHA1
4198d32d799d291800b0deb5356e7eebf327346e

SHA256
fb8afc081913e75f808c635c0bae93909cdbdfcab3daabf18112371d73d6c4f8

SHA512
0e3aed08db38564f4653d842c2f76bffb0a8b019cb78e6159f848090ad336b45793aac67eb2adcd67fb2c3e60d056e29618d0a73baf5d2cf8245d4456e11cf85

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
30b7d222d5066987b912eb7adcf7db20

SHA1
0a6cb1ad7556811ed51df866e583542b55d02d6b

SHA256
cb917bd61a41a7166ecf25d91c0852097d1ffda187d74d4110e61e8b35a48ec1

SHA512
a224fe7293de7e5a59943e55bc9cbc9847066725b9c286e5d5c88e5621e87b56364a846dcb2178edfb75c114c1facff6126209235bb5d816718f0aabd2b91dc7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
621701c214147d615ae0fb0166fbc270

SHA1
d0b0688cefb8e18d7d63f387f3a1f28d80582c41

SHA256
4293ef78215ee689c9339e3f767a9b6788d0137988718ef4c7cc31235605d50d

SHA512
051dc055267e33d4e2f4363e80f499a2b8a1eb1902d7ec6e54185e34d21eeea8e7cb7f2185bea814c42da2eb2d3db4d89820de90d11177c7a198b8ab64505d99

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
94d57d009333e8c89f476840092f317c

SHA1
d7dd362002561d9084853ed1b965b3b5d264f486

SHA256
8e11a045383ebd0127a14e427e5ef12bd23ffdbed1de46080b0c58babb1d2f5c

SHA512
711016098666069b6b698ea2da2649ce6b3256efb095728c29f058e5c307c51745842b7bec2ab6c01e18bbebe7c89fc6f6a28dc1581f7fd9cd311edbf635e2cd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
23fb851dd16db512815415ec0a5f57a6

SHA1
f74cf7fea04259f3f2571f98a83a76bacd2ce792

SHA256
429cc7cd117059ee9115d1851eba4a66ed20067d55426164d05b4a52f97c0f26

SHA512
f47356a7c5d17648f3b68ad344c2cb9862d6a657a12abdf35887dc81272dd50c38ac5da0bf7a9ac971025a2671a6918a2153ba1e7fe39cef2346c8a55d6b9028

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ef3c0e3a0bfc4265d4cbe7fcd1254880

SHA1
0d6472dfc596aaf7a9b2d02d4627e9bff53f441f

SHA256
ece33d64c4376e50a8c10243d84ac624831cd80d410418a2e953a961914ad99c

SHA512
456d21717ba0d87d25847cc447724171b52463948c03b1d0ee71c5013542098ffad8fde73e8c0cee7158e956bf60cd535c4d428bd2948dceef6176650619946e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
0bfd4fbce1ba709548105879c7ae983f

SHA1
b4ab1329b69010a65c1b9df84138639872cf9e5b

SHA256
0bde66aaac145614dd5f3e4dd82b421a91b7003d51c786663cb7927dbb34a4fc

SHA512
d5c9fe31c29e1cb02823ab4e293e253fb62de78570ee82af95ee5695a0682e51c4ccfd1213ba7136987df816fbe08acd9adb5060d10feeb699234c0e27223add

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
fd24429922542cdcfc3511775d956c4f

SHA1
051e1337d276113bec9ee61fc2582bff6455261b

SHA256
3194b813a274d6cb9af2c14e92ca2a8565317022959a3a3a6ad26b7241964154

SHA512
776a5e8033d715b965f13ded9ac64c611fd692d44c9521a578e5e07ba65e17ac02a3d7480fc7d113ecd45962c4219b08f0cfa8a1172d658b1a1a0da1da9ab00f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
37743f138180431e0731f2be1f21b1b3

SHA1
39acd825eb6fa9ec33e5354ab747dcbdeb6aa178

SHA256
ae163c77944bfd67a268216973edb9a59891855296731f779ca379cea5233b43

SHA512
f67b1460888ab6b0f456d6771c7f67a5897a6cdaf98a1cab60918ffc436824080ed319a66e406199f1b89c50bfb01135ad05115535bbbe26b0022ca3f37e9c80

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ac0c7f3d884a448172be475bd7cda8d4

SHA1
42c74525d3490eae87c2b3d504403303804de88d

SHA256
74066ca4c9ae34cbdf07390574b9ea01444ff553538ab9ef541b4b4626fd560a

SHA512
f29ae6a0f882686b510c1a5eaa229c2c2ac704ae37a84806ddbbf9c51183da3b92cb9b0c44aacaf924bd3494e1732f13704bc5a99770ddfe95259d25762cdfd3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
44a70bcdc7be95051ad1bc32c5374914

SHA1
901680b3178167d8d008ebe946df753064940ea8

SHA256
24a786050c8bd47ee9cf89b0a245c4c582be0ee3d5855575b4dde1b7b8631fc9

SHA512
bc2f57887a1158ecabdf16fc1d1f201d60e6928c4f27789c2bb2d72ee801fe34d3662e6460b47bd3a5c104307f5dadcdb4fc43c80a78ef80a1689fbc96ffaf97

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
0a3583735070114062cfdd93228b4501

SHA1
af4b87bac40400eaab04eeef2430314d9f5c2aa0

SHA256
8f88a37779d0c5ea3f5170cfe3e592c56f39af56d1c1f99dcac9a21c79f88056

SHA512
f44a7c8a1a291762c14b9d09a830413620f5704a0631a6aa4ffc5b2b3e8b8ef8610cf1e83e1ef554bca86734925936bf135523e5edcd2c33ca55ef88dc4dbdfc

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\023ecf1e-914a-4632-bfec-0a42ad0e8b68.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ce8c1de419b00690a443e9a8e78f76fc

SHA1
7d01b2456cfda75d7f9ebedc42040b79ca346157

SHA256
45f3208126f03d7a3460037c924422826073f8e329fb031c12c8d22441dc6eb4

SHA512
31eee636d058aa0d8d8c5d83ab6ea290092ffe310623459389c306573a3f0d3256c176f42c1f9da3c8b336324212011968b336a0e9c4a07b0878b760f166aa87

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
bf098ce1052780b0b6b94f9554dd98ec

SHA1
be8b07aab907ec927a83d93e7e3af3b0ccb7b73c

SHA256
2407ffb508ae74e7ba7ac860ffbd13eaaaa561fb1e8111c1d8157257a1c3d94a

SHA512
3010b33cf78f9fd992bacaff3cd20355c2e5f4cb28bc3aa24f36161f6e06b98a6d02014158c49835ac20cf21dcf5cb10848025b9a187d8ef2e39e8dacc7fadca

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
43dc8d41b6e46f3c8dc1bba3f9203561

SHA1
e38cb22a94931a8b7f49ec3220076e3509d2cc6d

SHA256
f646e95f598126c29ebf9ead6549a6ffd7aa6b084ac21d1c5febe57b23a602d0

SHA512
e51e20feecc3f43c0f90198024e9e8af5f05a2f763bc8aaede8b51cb183f4799e672fb11e1fcf05a74c2b4e1e3ffdc04720868f190e6d45802fc75835df54d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
58bb95b4094ea52340b0fa368840c9a5

SHA1
03e801a2f4735f3f47b6822d4660e55210e56567

SHA256
65d15a1557409d3cb361251a31e7a620874bd504e12187d1260d9b80fbf6b235

SHA512
6931e70506a094e390cbcb45ae3bbca25ea54ab1937d6b5b3443890c5f436f5ee04dd587605ff1d7055f4f810d3ac690e1a42b39020e242389dddbce5f7b3deb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c93845aeeb6668c2b6c9677ba78330be

SHA1
aa94803951839e2f8b6a423f40f7115ef7dcc198

SHA256
8d3b303d3e5af9b890489e286b43fac6039b44ca622a8767337d3b910505cb20

SHA512
731a59a56f9b2bd74f34784049518f22fc31c0fa7eb374cc9e36cc2cb844650acf08e55b7279afb7750228f80ce94d70947b0a335e46182040dbe3248b58f369

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8922d0c270408f73faa3b1c5a5610d9e

SHA1
9523735e42b0173339933a420b832e12544f4cd2

SHA256
afa95b7109eb32d435e60f6f179e44109a41d3da003286db0f519f3bef2f3ad3

SHA512
703f5a0223caa6b09c526ec66a64f7f36afb6be78e9df946a3bc9519f48b0c25c1cf26960c9a1868b8e3105956affa81d59433e296e318c0d5388f2052ee8f0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
dac3b4809ec5341b1b50a9877de0fe75

SHA1
5a04f1b48cc8c2666cd60f5143e0649b4a577af7

SHA256
f9e95e891e42d33428044e6c60bc70d6c738a76e9228c79f7103ff359645548c

SHA512
477f3e4e8fd9ffef81e6b85f8abd84b5cbcb7d48f3e35887dc9c77179f81a0f1423dcd232ea4951cdb84cf06e966fd615ee25c5f5a25df2536c4580b55926a22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576fd1.TMP

Filesize
2KB

MD5
8df20ad2489acd1e7f8a24fbc9a8362f

SHA1
b37b2bc2ee82f0b39ad3a80f6b15ad382bfe6c59

SHA256
6ddca1715870af630f7f8e66256978606fe92341934e897f0db7e5182bb39389

SHA512
8253fb905874f333413b730cbe021576a9ed2dabcdcc9c99400a8ee22792135052b60718defdf45190e05f3b4a70a95bab0a328a2c6d1ba9a095eee0ab4dc112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
cd49f815d8e3bd4255f04b2af63e9e54

SHA1
473c2b2a15b67bb101edf511fdafad51a3f00d7b

SHA256
d4aea077be88d4026a9536298e117c656ae79896749ebe86a2462301ca7a3733

SHA512
12c444d0ec9b2ff752143dd595ba62181be86d34c39b0fcce969e9a6408eda7e521e4589ddf35f0eef4f8c91f177529af5ce0634c32d5181be8be3b22e81412f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
cffcfdad247c82de51ffdd2dcbb867da

SHA1
a194cb6db1279911b22d6e3210b0a9d24e143603

SHA256
eb434e91166f782ec6e66f2bb7b2954af04e227e3a6daba977504723f8def6ee

SHA512
5fdc3a3a03323041f4db69eb85ff6ee751cb3b831a6ad04edf847f7772a64256f2177dea322ef0fb294559fc207b76b9c78d80e8225a406d3e8f1122b67471bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
bb0657f3298d314dfd06c6637b2b5205

SHA1
811b37d023856b5ebbdb8edede876bb4b67a70ec

SHA256
dd75a20083e0f30ba86f8ec1c8c18964561166d3ada6c9f1ae7a062237584100

SHA512
65d0e9c5661f6bb565af020ea2794d6cbd374ba17e25264a55ca7503ba32ed44c602a1d9d8df289c4c9f7a1e0ec95a6aa7224b204d9716d820fd4f000e96e1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
20444124f22c124c989932620994699e

SHA1
71f0605f0ff163b8c50a5e05eb21ba5f1c7061c4

SHA256
84e0f58604279d0b7030f641343f95643c7b7e8d9be579358abc67877be89c27

SHA512
646b81d81fbd75026e17732ba01226e3a4528fa4acd2a1589adee751b87fdcc3de2675d5b3a669a03cf9db83ed62743a84f4a99172a3fc72e420b3b3b1a69b89

Download Submit
C:\Users\Admin\AppData\Roaming\d0673ce574f8f84a.bin

Filesize
12KB

MD5
6c9cc8aa8d65a9804fe23263589f3885

SHA1
0e31b5bbaffdb0b00491624d7ea27da66e70cd9e

SHA256
576fef22a45aa6aa51b4665df2653a4b3c03c1f7b610d4f6f98e9e2e5897151d

SHA512
abfedab10da376b920897b613c195360cd6d4a02756da0a7c6cc67f9523c6cf5002d0c129f76b1508867d321ca73c84dcb87258c1513a01e9e24f9e46fb7bd01

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
e918db22882444d536e601980ccafca2

SHA1
7e357e219a28766284d816060e4e0f9d3bb23b7e

SHA256
d0ba1bca668c05c5e060818ad7a72b14683608634e40bf638d15b48086667540

SHA512
8dce573188636769aa4de300b1b1978990685bf1b42101815bccb9a484b5b344f65327306dfa1c6f194c857bd83796ede2399b279c8b7012e9b128d25dd526ae

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0288ab823198b2db9399bf6b7b43811b

SHA1
8c0d119bd1697299e1ee7bd9aba4db86b858c1c6

SHA256
997f9ca2517513ba1f5f2449f42b617b004b99cc6a3a01651eee3b4154a2191f

SHA512
0bef43fed784bfc98ed357ffb71aa93833031c53a70a3378adc030fdc63deab7855b5049317c48094c698d5e2d6b48a1d7decd23186c0ee19486527da96b184f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
9344bd12d044fb4d66db990b2032a777

SHA1
bf86a39b480154795aa399db3c837ef1dd04fb9f

SHA256
0cd26eef1d815d79f551accf231ba25f6ddc1152688776cbd0a5017b4c9455bf

SHA512
0702ee029b53c262e07f907975707164c5a1daa16fd307e0f8f37b7fcc275071aeb8f5937cd9fec96f7b7b5bcc5e58b736b9078847675941e4dc0489ac34b24c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ffbdcd5db37331a0459222c2be8aff44

SHA1
1682f99a184e75de4d2f1aa46f317bb1fa202e04

SHA256
5c04ff9182c56da2d2e615e63c380af2777aa0f368daedbaf5228d2209232024

SHA512
82a6e6c1a4c1f37b7ca8f425adc0412280180d67af823b53701f3ffc111e80da797f425cecfa0087b80e6dbcf491f1f5fd45d0da28eec8caa844575390abe731

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5a039efdf25f836abc50d03b2d6af778

SHA1
c7837faa1c50c1baa730add3ed59b8d0796acd4e

SHA256
70d88fd416a88f38de187d9fdd0700a1afa1636078b7241def64bb8ce44619aa

SHA512
3f08f4798b5e78ead9ae98740f3c73960686ae09c86c4dabff55344d9d2e1afd24e3dd206966204989a9baed5a4703e6260ed434b4e679fddd22cfa3359d8fb4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b987a8ed2ceeacf97895f34285fad503

SHA1
6fcdbf9819e8397212112092659c33516b416ee5

SHA256
e6d6d00cbae0dff6c010bee107b4d800cd8fe33a0db560794513e6a194e3a4cf

SHA512
eee230d54bc525915ab0a0730d00664b28973427f462f4867e1c46b26209bdaf3f0191800bfaeb1839cdfaad32adf26ab2cddc01599fda077e303f2e50e40caa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
022539304c9c91ecadd2e55775636def

SHA1
74017e8a238ff1799a3d9382219fc72fcea637a7

SHA256
1294fab2ea4bd74046419bbca063fca5d574484325dd927192c6ea81dbf88a08

SHA512
f8bcbb97dbb599d77cfaf72eba9b2576af9c82348cd924a21d0fa62b72a390938f58f4908f90388cc17e64a41d20bbb9282954e3969b15a04008a6ec77228efe

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
09a59f81ec7ea098f7fcd5c4ceaea8ab

SHA1
fafa693df9197f5855cef899ffeea974768ad516

SHA256
8caa00d1286537be71bb4d636a972a00785a68f61547db42a0c83079fb5079d2

SHA512
cf3fbf7bed932ef85ca4c166ead390f54a41c9e0ed762d1eaf59eaac7e40251d2add641dea1402b0e04de4f54688a28b8499fb24a78bbcdfa6d4f7ad7e800c21

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c50a0a30d5c8bc32df37e4951d0d548e

SHA1
f2e3c14e19fd06f58b6c9e58d7c8ffbeee9c8580

SHA256
6d0955e58d7105916c098844a48875e06268cd9103fee5623737f8be248c4a41

SHA512
9350ac8716083aa603bb9d98d4c964938395c2a75f0ec9a3c5298c16aa3d83baff9cfdcdd4392eca57f51d42cfb14e5e654e0917f82f4fd2d8326a2aea2a7b83

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d8a19cc2fb1ee0a48dc9d16920a6ddd4

SHA1
3fd4281e7cd4d8daa3f71e2897b1eb4d626d4286

SHA256
1a628c60dc335dd2cca82d4d70c592a0e62e094f8d44aa0dc6ad82e5a62bd7dd

SHA512
6c600ab4a0b10f5b7e29863e9aede74fe9720cef1b35373611a801d310338ba61eaf8d4693b9eacf592107053f56d27b3bf277472eaf716f6232b85cbc1b1168

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
63098d472c60aeda690d22396928194f

SHA1
fb653e0251c896be61d7b14eb25647e1b6867478

SHA256
7a594f9b361d17a74114b98c6dd7a75666c2115787e5e027d457dcebf1fc76a2

SHA512
d198a281964820a13a213c7e0c52ba268a123877f7235e19b61557d95ba20dcae023c7efb390e6fc9df16c0c0914157081477b26746b914cb64c48d34593d770

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1dc14603231df18fbf76951d8c5aa2c4

SHA1
c591757ff2134a303f4fffb8afbfebe6dfa95920

SHA256
6c7791e32d00d8ad66586d8423d7078a1590e314ee3301a353aa43ba3c95af9d

SHA512
e6a8099e626418ad7434b9a57824bf6c72b2d0a5abb267cad07e9c37a0c919f8ae57617c95f0b8fa9b3c9dca97e69fa2f217d8c5a3537d4507d82bf5f1c010db

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
aff287afb0bb3753b6d7b90ab71a9cc6

SHA1
158430282aed8cf766763d38fb6ba04b35ad2703

SHA256
1f081106278a5fdbbb6452c4b676588395391e639f23145c9c544b54b10e6e9d

SHA512
82d70eca14ba4bf26fb4d6a49ee20fc7c7164e316493bf25bfb9822db4941a8fbb45d212b6b80392263afd5b5671d36f395403b2a05a1f1acb48089644d0f513

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
1a82ab8a7992d071f7297d12b1dc46fa

SHA1
148c760c1ffac5c99b88b0edf280518e296b431d

SHA256
8d1efea4045513f6074dd54b497a35d82c7f83d2fd7f481f4cb984aacbb28d7b

SHA512
c7a3f03bb2e6f772f56b3815ce8cf6705d98f18afd130cb2ba1b76fa9d30892fc49846953cdd5b69c5f5463fb99776c3c9287e65b13867ed99923bdd9c7db8ac

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
82f3c4ba246f5951c8dc374fb88f71f9

SHA1
e38bb0e11bd1b11aca3e17fb64433350882340ea

SHA256
ee2f1185fbdbe5f0b3ce4b6c70c4103260fe64a64f8d4388fd8383e919a041aa

SHA512
9485190a498860ee4e4dec56029b692037e78bf0a88eb97d3d29034d61dcab035259df72baefbeaf543410456213d087c9ce7ddd2cca2649e8cc4062fbd3e8bb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
badaa7ea9dca307f2d735d0c439d07b0

SHA1
12f7ae94a5285ac2dc8ae40a1d1ec5b1e8cd0fb2

SHA256
68bdb5686e64770639de79300d1f7b93afe4beabdfa6387a1ec433b853517f10

SHA512
ef501cfe1e0a34ea4ac07eeb9ecfb028d08cb42d12794d5700cf6ca7434b0c3d600699484ea2ce285bd2bf82ddfb669d9db0f8aa52b44d664ec6d299ab0d138a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
486803d490a88df1d00206293fa1b7cf

SHA1
d74663068bbf3e5a3d9cf9cd307f5db28da94e3f

SHA256
0434fd7aa2f1db573d4dd9eefe33af70893514fda28c6495e7b58c9992d444bf

SHA512
abda9ffba14685cfb6e136328fbf33262a16b3ad86372388d81bede02324381aaa140d49bbd0de32a566c21d0286ab0bf9575ae18d7b7e7ca47047d7e0d97c84

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3d4447206491bf77525da6cc26e8df6f

SHA1
38942443699f64cadb7e0519ebf3c3ec242d414f

SHA256
c0a7119093a3741b40bdf70181e552025b5015a6cd86dafb310fa0699a6ce58e

SHA512
de97ad520893449951f8865bfee41a33b8ef39971ec8e5b23b686d6a51f8fa5fd3167882951e1475fd26d5a101237e4df91ef565579347d66f9ecc99267caeab

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
3b8d3a35700899dca51806a9163fd5ec

SHA1
4db812d733d8c02137d7a8deb9b824a4ab2739a0

SHA256
01a6c427ddc33ab90908295320318314e29ab1177ae2eded82911fb468c8cf69

SHA512
5967d3f4e5858e70239d44c767b51e35e938cec750eeda8c95c5eec6cf770419964e5c95a273fb7239ddea292feec74b66422fc03885e7eead77368579b10bec

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
159bf75a7b9f702584abc6f041b440c1

SHA1
6a48afcc0183a148b8c5545022b6c9357965f6af

SHA256
bbc90014be768ffd645b3f042b46b20646ca497c7cb27d76b146fb21c07eaedc

SHA512
30bb31d3731dd7ab42e8dca9da556235763837e419b538bfc2e6eb433e36f668f78eaf45dbe6e8e53445e91e33402724c43d5fbe09a22b59a56c8a9b4abe9adb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
7ff2cf10b6ef82264a49dc965abf9155

SHA1
49971751c39c6deda8a6595eee53cb446da95414

SHA256
da34f21d7575e7a9787110d4910e7e047f3f6940cd6ca8004789b930cb882efe

SHA512
fcf9600fd1745eb846fe7a9f8678e7da3d570f8ae04656c189a62f3d54b145a559f937cd8d1da88ba35e8cd2632b9677d7adef36634214f2b13be0e33a3ba1d0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
e8b0664e7ebf6d5035b386d00861cccf

SHA1
40c9e6eefd672be07106446268c4130e04ed43e2

SHA256
0612d7720ae2cd956eaf408b8d3ecaf66e2ec66e327354f43c2f896b23c26cf5

SHA512
cd5ac4d24e40703840f85cdf93b3ba98586d95a8afe4fe01e808f0fe1e6c4a4c87f2a416b7e3210802d6b29262d42f5cb17e9bc863400db6b38e1a4e20ae74a0

Download Submit
memory/1136-255-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1136-176-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1136-168-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1396-197-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1396-591-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1396-211-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1396-590-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1396-291-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1520-108-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1520-32-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1520-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1520-18-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2108-97-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2108-100-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2108-107-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2108-112-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2108-114-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2516-52-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2516-45-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2516-43-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2516-150-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2848-181-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2848-269-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3020-12-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3020-11-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3020-22-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3020-98-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3104-131-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3104-207-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3104-116-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3104-123-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3284-78-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3284-88-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3284-71-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3284-72-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3284-85-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4380-93-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4380-92-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4380-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4380-83-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4380-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4384-283-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4384-192-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4384-184-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4384-276-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5048-160-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/5048-229-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5048-153-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5100-27-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/5100-34-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5100-0-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/5100-7-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/5100-2-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5152-231-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/5152-308-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5152-216-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5320-344-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/5320-335-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5396-321-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5396-256-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/5396-238-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5456-356-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5456-349-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5576-334-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5576-262-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5576-271-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/5684-361-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5684-368-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/5756-347-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5756-285-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5756-278-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5808-601-0x0000012C05460000-0x0000012C05470000-memory.dmp

Filesize
64KB

Download
memory/5888-306-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5888-305-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5888-301-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5888-294-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6024-310-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6024-318-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/6024-575-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6120-322-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6120-330-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download