ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
Size

5.5MB
MD5

cb4772af8906a6dfc2d67003c8e09dc8
SHA1

3d9198f9fc950400ca7f031156732608e1a6aacc
SHA256

ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8
SHA512

2aabbd4c6f0dc15ef4d7757c90e7f4af5dad433f986c387a50353f7c116eefd912ab43d1558b2c2d9e019a02089d02e074461c0b510961492fe0faaa949749f5
SSDEEP

49152:GEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGff:8AI5pAdVJn9tbnR1VgBVm1qo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
1452	alg.exe
3920	DiagnosticsHub.StandardCollector.Service.exe
4424	fxssvc.exe
4412	elevation_service.exe
1560	elevation_service.exe
4936	maintenanceservice.exe
944	msdtc.exe
3628	OSE.EXE
1500	PerceptionSimulationService.exe
1548	perfhost.exe
3492	locator.exe
2428	SensorDataService.exe
2600	snmptrap.exe
4336	spectrum.exe
2096	ssh-agent.exe
1248	TieringEngineService.exe
2828	AgentService.exe
4752	vds.exe
4988	vssvc.exe
920	wbengine.exe
3092	WmiApSrv.exe
400	SearchIndexer.exe
6068	chrmstp.exe
2292	chrmstp.exe
5332	chrmstp.exe
5468	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exemsdtc.exeed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\System32\vds.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\System32\alg.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\98392dc0d590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\system32\locator.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe

Drops file in Windows directory 3 IoCs

Processes:

ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026e23f64caacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080329563caacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080583664caacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b497d6acaacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068916f64caacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004500126acaacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exeed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exechrome.exe

pid	process
4092	chrome.exe
4092	chrome.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
7016	chrome.exe
7016	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4092 chrome.exe
4092 chrome.exe
4092 chrome.exe

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exeed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1836	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
Token: SeTakeOwnershipPrivilege	716	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
Token: SeAuditPrivilege	4424	fxssvc.exe
Token: SeRestorePrivilege	1248	TieringEngineService.exe
Token: SeManageVolumePrivilege	1248	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2828	AgentService.exe
Token: SeBackupPrivilege	4988	vssvc.exe
Token: SeRestorePrivilege	4988	vssvc.exe
Token: SeAuditPrivilege	4988	vssvc.exe
Token: SeBackupPrivilege	920	wbengine.exe
Token: SeRestorePrivilege	920	wbengine.exe
Token: SeSecurityPrivilege	920	wbengine.exe
Token: 33	400	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4092 chrome.exe
4092 chrome.exe
4092 chrome.exe
5332 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exechrome.exe

description	pid	process	target process
PID 1836 wrote to memory of 716	1836	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
PID 1836 wrote to memory of 716	1836	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
PID 1836 wrote to memory of 4092	1836	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe	chrome.exe
PID 1836 wrote to memory of 4092	1836	ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe	chrome.exe
PID 4092 wrote to memory of 1456	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1456	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4396	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4580	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 4580	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe
PID 4092 wrote to memory of 1712	4092	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
"C:\Users\Admin\AppData\Local\Temp\ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe
C:\Users\Admin\AppData\Local\Temp\ed012cea4b23ee4b76f9ea71b99f86ea3c0a2e2ff4a5ebeeac02a2cf3e426dd8.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb55f5ab58,0x7ffb55f5ab68,0x7ffb55f5ab78
3⤵
PID:1456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1916,i,8280341195821553393,11209526787083402290,131072 /prefetch:2
3⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1916,i,8280341195821553393,11209526787083402290,131072 /prefetch:8
3⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2068 --field-trial-handle=1916,i,8280341195821553393,11209526787083402290,131072 /prefetch:8
3⤵
PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1916,i,8280341195821553393,11209526787083402290,131072 /prefetch:1
3⤵
PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1916,i,8280341195821553393,11209526787083402290,131072 /prefetch:1
3⤵
PID:5140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=1916,i,8280341195821553393,11209526787083402290,131072 /prefetch:1
3⤵
PID:5648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=1916,i,8280341195821553393,11209526787083402290,131072 /prefetch:8
3⤵
PID:5824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1916,i,8280341195821553393,11209526787083402290,131072 /prefetch:8
3⤵
PID:5844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=1916,i,8280341195821553393,11209526787083402290,131072 /prefetch:8
3⤵
PID:5868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4776 --field-trial-handle=1916,i,8280341195821553393,11209526787083402290,131072 /prefetch:8
3⤵
PID:5984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4804 --field-trial-handle=1916,i,8280341195821553393,11209526787083402290,131072 /prefetch:8
3⤵
PID:5656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1916,i,8280341195821553393,11209526787083402290,131072 /prefetch:8
3⤵
PID:5816

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:6068

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:2292

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5332

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1916,i,8280341195821553393,11209526787083402290,131072 /prefetch:8
3⤵
PID:6140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 --field-trial-handle=1916,i,8280341195821553393,11209526787083402290,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:7016

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1452

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4816

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1560

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:944

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3628

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3492

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2428

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4336

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:744

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3092

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3972

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5564

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
72705c4857953c4f05de990ee8bfee35

SHA1
ae571db05a45de41c1adca34fbbec2059a426f7b

SHA256
966759be00678367715eec9087fb7ac2a2d4ca81191a9183027ad3e128c29ee3

SHA512
534a9cb4df6508436b18bf99fe6a8131c7345857c502583fbaa5da123669e62d2d2c8bb9bcb2d95ed73ae2ae82cac6d69975ef0fb640dd3175204c860b5218bc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
a94acee5db6910fea54ba4d7c764da38

SHA1
12175d0d7956194dc47fba94ec15cec6e41b0732

SHA256
6a24c19499c02fde36a467bca76408cfac0d9aa2d059dc08e5eff017170158e1

SHA512
dc1dd6119b0d7c297906fabb894569cb051ef3766348df9c25d898bf6d69079961850d6ffdd4926d5173a8b33612d59d0f9f74883810a9a856bd2662a1efde07

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
2def76ed71793ddd8747c0f342e12b29

SHA1
6184afde6c1dc5ce57949eb0d2691811add20429

SHA256
66fea3f11c3e1e4621a6c3644deed524249a541da28cceca4bdbd7ecff3d3ef9

SHA512
22f6abca2e71542fbf171c72cfa65bf32bba606f27c874f64d17712f539e55cacf6c1c294869e563785d2462477fcb102197e96d4b96c1390713feae1fe07322

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
7e837219086e9f6dd980a96d757c2c39

SHA1
60ced0b382d3c9ccf632c07b086d9f7b1f9cb548

SHA256
2b51661b3638e5f68c7802aab0cc9d361979740a38b306d778cde62340833678

SHA512
96dc5141628c919a90777d54ab26521bdbadc806147085a62adb137ebbe5164c8aa6599eb56846cd795f0b45f0a7fe3663bce813c1abe35b9c2ab3a0083846d5

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
06d1280efb6df56f6d3eb790ba1dc37c

SHA1
997e8a4a03f2374833828cfa50215d8e249504a2

SHA256
9129d88fd6a189a706c1f1cbfde5f80f8b41ed888690ddaf437d908ccd320826

SHA512
1cc5996dce145f36cac8b7f2ceb9c86196d213cec57764e81117057ad0411ca9f20576a1dda0a64af788991ea8504b6ec2fd922eeae6f4841e2caea699e86089

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
16d9d2e24e7d5bd7c84d7d7109526bd6

SHA1
4e6a1a419ff0a9bd66608fd63b6469d38fe0fdd3

SHA256
d8f7b4b286a1e3d170c8d481e5764e696418d1c896d779cc63921acffed30778

SHA512
cd71d543f0bac2c00304a66993d46925b7a207d2088fb65220ab5f918ed026ea700cd716bc78288acb4814a2386712764ec16bf000a192b9ad0b07221adc7ebf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
fa78c85df62b206b5db776e3d51ac8c1

SHA1
888742e26d1781037669130a595816659fcc6855

SHA256
74cdca2ab356e00676df104d26e210894fe5128e318f31af02734088e366b1bf

SHA512
cb9f7ed1f0a8da46fa027a964e245cae520b1927fdda93f78764210f6a64ed91775c7ab19a3b8885b619ce6403cf843f5ed6c6cafd8392a70f4cb6c6f065d821

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
f226a176b6034b7553aeda9e70fcaf0b

SHA1
a4fa8197ba4b20e5d27a366e5c3cc74e9995bf80

SHA256
607347484a82b3c7fb0cd099a5220076c61e5f1be4bdf3bcb8c94515933af21e

SHA512
a4e5b8030b155fb479d0579a5b555e4c7c501618acf5a68a1bf2d470ae1d180673f3df42c2bc66f49d42fe8377c1043bc079080be64b6002eb98cd560905a3b8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
5ea60eaa02af294cc2cf78439e198f50

SHA1
fdd5805087f22b7aa30a9cad085602856105193f

SHA256
91c746dbd31f453d6d5f609d19742f8f728f675441e791176969cb6a77528993

SHA512
6ae33cb4039c12af8d96d115994a734da156291ed3118b38d4be9941ad9805f4b8a2bb8b5408087bda871aa035b0515b1ace95a0621fc1a40063f5ca9503510a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
a6506dd9c3a2579c52d878b65a27bb23

SHA1
772f148fc591ed82778bc4ed41cbcf059b532192

SHA256
b03c2597b3f02763c6dd2e3d57bbe97a3f1c5d07faea7ff051cf23a6e4fa0c20

SHA512
37e294cd4113d64dd8912be167d1fa39707199d72d201c81337c614ba912980f8b6b2711cbd78d932f038630334a6890201233fd0f67a6a05a1764c6220cd567

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
a2aaa7101f75ee0d1228e570097c394e

SHA1
0a133dbaa6f5e76d97048943bea74d25fcd9129e

SHA256
7c211c75362facca6f0fa0e403c6c6de91bf0e8173490e4bec20c9dbaeee9a4b

SHA512
adb15030a8f0567239a5ebf10b93bbf841f7593fceaeb4fd7d4df9c0338821ef459d641148156d093942d6067bea6ed2657734cedfd47376ac3b7fd42a7844f7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
2131989ef7732ab0ecd342a34aa09598

SHA1
6b20f10d53c9f8ccfe15dbc73aa9035e2eb7a879

SHA256
58f0b359c02971a8eaf1c585b0310b0261210b6dabbf161d603908d4d232800f

SHA512
2c6ad80fad38bd9478e82e7254f1124d5e75faae89753216e969d498d32182a3b61d86cebe58259d5de3ddbda2ed69c0377ee34bb4e39e0605642070249fcb89

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
4d43f7aa171a559c700ebc5214962336

SHA1
f6a6f08a3d7e62ae4c480873b9d55902d6c06ed0

SHA256
e500a927aec7817fb55bd5aeb2daae47a4d4b8fb002ca7a3399f05cf25497a8a

SHA512
fcd33d498fe4d72f60b0fc10b83664ba057b0681aa48a4a1926258707cabe946ee892f0d61ea4aa28c428d374a726488f53124237b967977b2646750ba75be54

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
5e557e97e1274bf9098ad2e100c7cb30

SHA1
35b1c25cec8dec2477c854dc7814743ccf2fbbd8

SHA256
105e6fc9c5c0c01d98ec3e5b04168690cfdfaf3d6a482ca2aeeade42a5fffd97

SHA512
c11c3a93c4f29b9896a7303ab99ace420cb9866c3c81fe6416816d20eac7e64d07e741df2d4cbeaf042a5a0664ca21904ee4e21b877f38e4ca23ba886cdd3da0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
8bacfc376c0ebf09f9b55b988dd346c2

SHA1
1ca771a14c5fd663e1c2ee80c7e8a904e9656a7d

SHA256
f7aefb87d25f3ec6de662c9e5caf1fdd6ee054e7e5f58f0797e4c7625d418557

SHA512
1a2f3865dba59c149d0d672824b1f1094733f56f5fbf625e0396cd9e7c50705e5f5b553731124935c8f0d596ebf8c3d43224fd687715873a88125cfd537d3f68

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\35cc6671-c035-4a52-9257-8d2f16738f35.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
dcea74781b074f8bf006ccca3b85f21f

SHA1
0939a4dbf4c1b32ca8d3c8fd8c3dea1a365af56b

SHA256
9942e8e139694d98556d5139c0c903a015cec245e8f2c0fd173759b2cfc9a68a

SHA512
54c9f32006eea9779b1f4a36a4ccb46a40f863b02d1f3dd6587ef06caf62158568917f5d9e6fa94013f7490a02ecff6e1c3cad30725e1bbc9baaeca58a497d9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
ecca8993047150870094c763386eb4e0

SHA1
e77376a1868359b6270fe9924477d645bd5d7d1d

SHA256
bc2822a5efb199dcc655254b162e8e690280697a639ba9b6901133798470dafc

SHA512
28eee493fd526ef4227665583b28d600954d71babf027c2aa6bc8d72684d4ebe8b84436dd75a7fe29b6d17c8fd91f27a08e4d9deb53e8460a518bd7c09ca297c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
b05706110fb366090b6ced15ae52bca0

SHA1
087c051c16af95536b246e70191a790f55c929a8

SHA256
e4cbd745290c2d88b402be6a9097118fb8ae750a3aea7ce7e8105b5963cb1772

SHA512
edee1ac92bd7211439cebe687f78f0204f16663f169275cceba79e442d69bfb27d0237695dc63a0aa10fbf9e8cc9cf2e1a2b3828dce302825c17c3ce0d70b86f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
a41ace78c9614de281a8361088378c4c

SHA1
bb880843859e16c3c2e418fa59d1756b9dc8c88c

SHA256
dcfbaeb2458d004059b34a7bac4a72c8fc4aab9a2e073a4673768c125e8e5f42

SHA512
972ffbe78a57a363e08a1b814e2c9f41320d962afbdc928abed20a13e0b6cdb1473f04e5f8fb7bcb3f32dc9f1fe222d4111fb283c9a3e3e67410aad9341b750a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
958ef8c81212749c776c80b949297c36

SHA1
ffae55b4b5c4a256d4498728e1290e8b887b2802

SHA256
b6a44eb1ea95e0d2d8060b41957eda459f0352a9a60f4ac5e45b492409666826

SHA512
e92c381f680e28cbfdb9c7100db1c070445ea291c4432dfb000a449ef975e9a6456a4304f69b25d68ab5beedf9a245948a96fae5b76e0a54e56f8e3ff63ac2f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57633e.TMP
Filesize
2KB

MD5
17452b252e572ce0e1d15bd52b3d96dd

SHA1
76e11b2ee8ae5cfbac60be4c4f1609879da3586f

SHA256
078b9af3cc02d4ce24f484c105def6fa6ab3b239269d39b503bd592cd8721ca2

SHA512
23c427290207f4496388e375917532a84121cd606cf36e804d2c30439167068e4eb43930ed32d406fa86cca6cd7f38d3c4f2f3f0bfaa9e157c6cec6e1e8546cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
ec1a7df1bc094c16d611fadcae20cb74

SHA1
117873b832ef6db03b04b21b862c80853b4142bb

SHA256
1599f88dbe9b93d43ce9507cc703c063b4e4e8b2f8b2db30e152fb5ec7b4ecbc

SHA512
b205c24d6ca55b7afd2bf6309a74c051bb2a29b7d89e2bd1fc925fdaa133d5ae6d4e7d3ee6bb017cdfc9b220a839b1be5eaf8dd9e16b39759732cf609bad43d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
5964838facb16249c9ddece97b045e63

SHA1
cb4bd945437b8ecdf19be36e52a73bdb74a821ac

SHA256
8be1e76ab71e9c3c3b1d51e1603cd397de8661c0743522534902b7deca33a12f

SHA512
4317b0b285d3dfec81cdc3ef671ddd57acae5e385c911f7b013bdc0382b746d955d10b37031e7b1553db7e3204d643d8929aea4880b8a748aba44cdebcfa2523

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
09f9d2b14e2d3f849757d5278516c0a8

SHA1
bd55e84f267cc3e89a1f95d4e0c9313e20a96f11

SHA256
137af110d9141b795f7d164ed9794daa7e90fad2fa7b40607237f87286e0f665

SHA512
29e714a9938ff93cbdf29a4b96dcb33474c06412e91a6d3ad128d55017b5d9f73cec68d5c8f03fe382afe0f7409277a7d35dbbb9660d70450b59f0ba89b67719

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
9KB

MD5
26820d424ae198c47e2ac758541d6304

SHA1
a932c8e6a5d99a99d5e8c35c6d882536cbb5a7c5

SHA256
b4e80879c014df0cf16ddb3ead541efd623d18ef49d8c690d9dab9701ea358e2

SHA512
10970b4c209cfe0504802bd5e7d854fbebc2edea6587a98099a1f63636c74c0d9419fa290f9de17ee49a5c300911bf9e5ae10edd865d7170034cc8ce3dc6070d

Download Submit
C:\Users\Admin\AppData\Roaming\98392dc0d590e271.bin
Filesize
12KB

MD5
2e601ef7e25dba6d2a98dbd7b8ed0aef

SHA1
c4aad1f01362896ba03c1ec1d1d55aca1d544f01

SHA256
04cd5dc7dabc5cfc3dddf8bd2a53ef36826b57c957293258624b88d15681db7b

SHA512
3ff9ca6ba38477890b9edc55dd4d5cdddb162fcea82edcbc533eaac805257c558692af9e3ea401f35c543e8c5b2e5399adac7ac948aa656bb29be400162bbe10

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
322e61870b17ed2dc8e2838dbac10b5a

SHA1
06841a75d78e1e74969c9bb45d38efd7a6407669

SHA256
3f2122f12247be6013f1a35636d08351b3f8646ce0f9169c22ee9b266c669283

SHA512
1f21fd8864f959d1bc677f87885c53baa686c01dbe0f7c285797bbe888c3d7c0d14a97bb3a974b5f62c3e9bffab74ba32258e8108d7b4b44a0209f3bb1d06b71

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
a99c3c3da63e5469054249708ccd3258

SHA1
d8ccc4a754be815b69a0f051cd62d334c4069aa4

SHA256
a8ff79ffdf7631fd3a6a576cbde1bc4e134993b769ce946d4514e47862bad41c

SHA512
6dbbe816b43fce93a2b309dbd2df6073c7f78c6205c0a881ada5440e9b56c2bf4ce7027c97732c677450d8018c886769717c2b512444b095424b219d169799ee

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.2MB

MD5
f26446be2870f9cdf7b0b0b1c09b977d

SHA1
e9716c06802a9f2afb709859110176fb122747c9

SHA256
a539c6c13c88239b8650e36535a1b7bd8b1b67bc040b21eb6a738f3799adaf9d

SHA512
e5d8226687593033579484e97387eadc5e25d9b3a54451a2c4b0b0c625c87a45a6d18b78e7bd4c88e87c5135b4ddb04e4d3016e29afeca46184b46245a6557a1

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
3c9b9312bfb35b02986ac49a5c1a6c64

SHA1
8a873ab2f9898c42d3c916890c304e67b6b53620

SHA256
d37e29c0fa2e2183dc5f9b699c5665d84de15bc0a5ef9908225695c2e6ee435c

SHA512
b2e87dbbbaac6178b109c8e87ef4fc194aa04b13569ac4f5e9df1d1e9e7ad3c2b35b9669c984e1ef7bf1b1c956b83c0f55f4adde66de137d4ef912f4618985aa

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
889f328f7384ebc2d3ddf73852107123

SHA1
94a160192a4b1813d768d068cd7bf2c2ae338529

SHA256
fdd1a3953105a9aa844b2c5a6f9c6b22862d3d30d80ef0e5ace37a270e652a4e

SHA512
fe88891aab0ef4de479f09b5f1cce560bdb4992c0487bc8eabd3d8d74fe3d8fad1006f61ce525bfd996c07be4696b9823622578c06cd6cdb8943e306c9553f02

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
f586f1ff9677652c59ea0f868bd0a704

SHA1
02c415e9307d04a54257905e4d2a882c5974dded

SHA256
6e6dd3221f8b2c7570fa63f416853a8af6bc8b260642f36c8d607c1472866ec7

SHA512
29bb37c8eede9d53e1fbd93658754cca8f1245d7c9bd1261fe365f17c6ac0aded338ab9059ec7b816290844d7161df833d5fa1d1a24aed0cb0a75fc11e51078f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.2MB

MD5
844c9a889abe6de87d3bac613773e77f

SHA1
b8d18a7f186bc6c34da9bcba578eb3d8c60ef2f1

SHA256
83e71af17da991f345160602f5aa19c079025b5ffefa84a48baacb5e00d142b5

SHA512
d76c097284e9d9caea5193498c5853422150e3a03075cb9adb5a52b783a3e0789369fc42280533e9738af11b9e617984afad3331f27bb94a8fe7faab56a1afed

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
6d026fd49077a91574844e8fc7d338b6

SHA1
20976cf57bc4801ac799610ccf19b68468722798

SHA256
df9bdaef5dfdd989edd705bfa23676bdaa7a6ed2170737225ccd79d7304a0c8d

SHA512
c300a129e4910c1f9e4efeac47840863469d3fc852282fb4cec5ac1471078f03149eb088dca3abb44a48084b75111dacbc21c8570c28ec84e906d6d0d3d4c886

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
b1c85c41fe4213c22ecbdc563a2f7198

SHA1
33995f84a8365395f02701f169847593e3b30974

SHA256
ce389b7edc3d0bb331a6897abf8e46badd139dfc1dde8792e7b153920a50df52

SHA512
ec8bc3ee4114e1519dca88011bc04e5c46e271478fa5c491d127cc9d47a4ffa732720ca35f76b39a5a0aa793813d5df19283f2accb15ceb13f8eaf5919de752c

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
50b3526a0cc029fe25b16dd3a5e3b663

SHA1
d4bee44d255bc81bf28e657d3c4458ea9b45b717

SHA256
a3797a0edae2400ea6aabbb38df675fcf0a196daff4d37b304a767be334ea374

SHA512
0fcd2264f5a4d40039345fbe33f89025d4ce170b70c090e3a624d9fe6148747980f404e2e4197ff3b317f8c3482210d67e798870c988dffe99706a5ce0aa3a7d

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
da5832d268abd8c2e2a92a22532d984a

SHA1
930a80ad95f9ea8f4e86c9f0371ce68dd081a281

SHA256
3f0aaa2ae6158585667f460d962e196c817a1ce13571cca8445f44be97098182

SHA512
750d908a578060e52a9f84bb5d654bc1ef568c6cdb57dfe3367c5c69b93c93cca67a7e7005282e22220b8d2aed994df0e0b6dc1bf664f9fc965230940cca1168

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
618d6fda3ac5e9a7aea11b9ddc90a00a

SHA1
22673f5ee91bd4fe89e2e518cbfbfbb9e0631046

SHA256
6bb6b4591affa3b8197a6d13ec472b84ae75f0843b276c751ddf1d4faffac3fc

SHA512
594168e90fad5c53dd4c207c52b9630f5d68a00fb4dccc6e2a920d1ea8e229d558bd2cdfb0ebb0fd92805510cb56a954820870f09b219d749be73108c5900451

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.2MB

MD5
d7ece1d4177fe4a72b4360fa943601e3

SHA1
cbcc982d18d8baf16697ce09cfeb88ce4406aab2

SHA256
0827f1237424de1493e97759deb7dc0930cc277269d79dcc0912ed516b9a2cd2

SHA512
b422a8c5ded0e1d33078320d1aa9943355bcc30b2b9f7183ee92643e7cb65eceb4e8d8441cb3ad1f8ecaa4b03297f62dcfd9c842d061612811f5f3f13744324f

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
7fea34cf0b778ad7906349776781f457

SHA1
4aed87692495fcb4f261d3807d1ef8dbcd245331

SHA256
64b68d0213e6e644a94bd418220bcd5cb4bf8b5cc9489d885a08624546cd502a

SHA512
d828b260a3614a01fcc0501e729a66dec2199a294dd71891c884bc5e10afaa255b4bea41e095ae734d3baee5c518fa19fc43dcd4f644f8e13bdc19e82835b76c

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
7e8d7f7139b2c24fa89f07e1763dd4d2

SHA1
4d04973d14d87c00ead3dd32e57090c4f025f178

SHA256
dcad7886681d2a5a68c81b3ae64f314b88164c0759fff31ab9cd204a18c49fbb

SHA512
0b49adc805eb4b56dac0334660a950b66fc5d5cae20871d0863a3b444673214bcc0a06c3dc1fa98ce57bc47ca140e9fc3b4b85f744e1fd6daa12e192eecca33a

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
f92fc5efcdc6405f92a43ccd1d50a06b

SHA1
5b5805f7b009769ce198c4976499f2461521e5ea

SHA256
1fb27be3889aaa1ee78435198d650f78fe5a59bc402e82c8bc410fa2434cef7d

SHA512
d447a9dce2fd7cd12219668df1832322b14f743b68b160331ef0e2d5fd85a89c180addc7ad9d2d40f311c25773d6a8436f1ff655169976e353b84973928e61a4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.3MB

MD5
75b679c667c288b37f6c5acc115ea86a

SHA1
0fd7626ceeae53fa1fa5978220996e3f754f941e

SHA256
a9af394728fa578e2f328973af1e18591730ed92311369ced545ed600d330e12

SHA512
813cae0262f2dd71c8279eb1b7d4f4c840da3be770eddd18bc6cf7d9a15aeeda6a277b4eb6ff9441f022ab04e96e455afd37e93bac8fe6a23e37550a46f0eb1a

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
4988a35b2a175c9f223a735c40e2ec65

SHA1
b316103f8d18f4b9012d236a48f3527828f2a7b0

SHA256
13342a3068c884e5c6a3a328bebe26731dfb782a54d455e6dc545d6efd5bec26

SHA512
ea4be0c247f8d9e8c96880de24d0f9d0f5e869538d8150606ac3ee7028f9fc26a6eceee4e35d93cc09c10a1cd12804e3e77d00999a61fda36ce7d95ef1a74efa

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
95c33cc1969930fefbdb95f99b2a9882

SHA1
cd2cd226b2c6f6de0bb090f9ffadb8e643a23970

SHA256
53b715becb7434a9ec7cebf218a7397d5c30fb50f6d3ac578728024f00ba194e

SHA512
c5992c3d6c1d20ed54d7e8cee2d3ac42d929812b770ae770881b4d09475b23cdd5afb323f401ca81bee5566f09638581f8e86b717bfdaf11596e7398978070d6

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
5f9cb7f8ceabaa799f30f03dca9c719f

SHA1
db3f9b089e4fcb02e87c42d89272a19f1b91491d

SHA256
585801d8b6c6c67ac2afcbc1c33d8a20c27c1be7829a08ba52e5d85f5029864f

SHA512
5a24acfa34005a06b2150d740ac70e3e546f87872f97be82a29758ce9e7a5a3f96b34c23cac8007f3eacd61bee9d37d7af97914521a7a8da3c022720e2bd250b

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.4MB

MD5
27fa7fcf325186dda08c93cbbdae7df6

SHA1
a806c91c497ecbaf3a3c0a677a075dc77246b878

SHA256
6292355af145deaf6a84cdf85a7f7993845cd527d728fe9c13f726096b8afeaf

SHA512
e6eea71b0f6af852ea7796dd4a278dc56e989df69684f2cd4890e6ee3b88662b8709a8b574a421cf49935b57ffef0c998afb45987256b11e8d3e3de0be3d425d

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
1c7827a0cf9784a4c24d6e50fc66a5b0

SHA1
991c84d8877a3ad1fd6b52da1cc5139c6bf5dc40

SHA256
9a84a99be567cd8cff93db3808cf6e9aaa2707fa0a92b1e4c2287c4283e18460

SHA512
9ef4edb876e1600b87cce0317513aebda4daec222b245dfc03a9c72610ca454e2ca93a18b9087044fc9dc3a51972df46d0d5df9499c4eeb25fddeb534f2cd6b8

Download Submit
\??\pipe\crashpad_4092_WSXTYOQOXVVDJFGP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/400-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/400-683-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/716-18-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/716-22-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/716-12-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/716-558-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/920-346-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/944-169-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1248-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1452-24-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1452-23-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1452-30-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1452-589-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1500-172-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1548-174-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1560-88-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1560-679-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1560-168-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1560-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1836-0-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1836-9-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1836-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1836-39-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1836-36-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2096-336-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2292-561-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2292-716-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2428-616-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2428-176-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2600-334-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2828-230-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3092-682-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3092-347-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3492-175-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3628-171-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3920-54-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3920-53-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4336-335-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4412-167-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4412-434-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4412-78-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4412-72-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4424-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4424-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4424-68-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/4424-65-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/4424-59-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/4752-340-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4936-104-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4936-92-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4988-343-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5332-595-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5332-590-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5468-717-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5468-596-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6068-607-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6068-548-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download