b42f2928b098701e02974b06c3debf6e038a8decf18caad103b216aa79218348

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 19:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
Size

5.5MB
MD5

44862de5c3d7ddb7a013feeb92082fed
SHA1

6f983a40fa9d8c403a34efb1b6ea423c04169274
SHA256

b42f2928b098701e02974b06c3debf6e038a8decf18caad103b216aa79218348
SHA512

9e2a37d0fcef8c0e5f8619c4701871a343be68a85862e561c0c039e40702b3554d12b51acdab29e4e3b1367647cdfe72f5da8fe6d336160292182e1a115d3b9a
SSDEEP

49152:vEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfB:LAI5pAdVJn9tbnR1VgBVmDnlS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3016	alg.exe
3476	DiagnosticsHub.StandardCollector.Service.exe
4116	fxssvc.exe
2052	elevation_service.exe
468	elevation_service.exe
736	maintenanceservice.exe
1296	msdtc.exe
2696	OSE.EXE
1972	PerceptionSimulationService.exe
2096	perfhost.exe
5088	locator.exe
2988	SensorDataService.exe
4792	snmptrap.exe
2648	spectrum.exe
5204	ssh-agent.exe
5376	TieringEngineService.exe
5496	AgentService.exe
5592	vds.exe
5692	vssvc.exe
5824	wbengine.exe
5924	WmiApSrv.exe
6040	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4d1b2be1c4fd1e7a.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77625\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083b32e5c9287da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f1bb55b9287da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032318a5b9287da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f870285b9287da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b80985b9287da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d42fa95b9287da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012336b5b9287da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133568201543630657"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058e63d5b9287da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b80985b9287da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3692	chrome.exe
3692	chrome.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
2620	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
3592	chrome.exe
3592	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1804	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
Token: SeAuditPrivilege	4116	fxssvc.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeRestorePrivilege	5376	TieringEngineService.exe
Token: SeManageVolumePrivilege	5376	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5496	AgentService.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeBackupPrivilege	5692	vssvc.exe
Token: SeRestorePrivilege	5692	vssvc.exe
Token: SeAuditPrivilege	5692	vssvc.exe
Token: SeBackupPrivilege	5824	wbengine.exe
Token: SeRestorePrivilege	5824	wbengine.exe
Token: SeSecurityPrivilege	5824	wbengine.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: 33	6040	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6040	SearchIndexer.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2620	1804	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe	84
PID 1804 wrote to memory of 2620	1804	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe	84
PID 1804 wrote to memory of 3692	1804	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe	88
PID 1804 wrote to memory of 3692	1804	2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe	88
PID 3692 wrote to memory of 5000	3692	chrome.exe	89
PID 3692 wrote to memory of 5000	3692	chrome.exe	89
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 3932	3692	chrome.exe	96
PID 3692 wrote to memory of 4468	3692	chrome.exe	97
PID 3692 wrote to memory of 4468	3692	chrome.exe	97
PID 3692 wrote to memory of 2632	3692	chrome.exe	98
PID 3692 wrote to memory of 2632	3692	chrome.exe	98
PID 3692 wrote to memory of 2632	3692	chrome.exe	98
PID 3692 wrote to memory of 2632	3692	chrome.exe	98
PID 3692 wrote to memory of 2632	3692	chrome.exe	98
PID 3692 wrote to memory of 2632	3692	chrome.exe	98
PID 3692 wrote to memory of 2632	3692	chrome.exe	98
PID 3692 wrote to memory of 2632	3692	chrome.exe	98
PID 3692 wrote to memory of 2632	3692	chrome.exe	98
PID 3692 wrote to memory of 2632	3692	chrome.exe	98
PID 3692 wrote to memory of 2632	3692	chrome.exe	98
PID 3692 wrote to memory of 2632	3692	chrome.exe	98
PID 3692 wrote to memory of 2632	3692	chrome.exe	98
PID 3692 wrote to memory of 2632	3692	chrome.exe	98
PID 3692 wrote to memory of 2632	3692	chrome.exe	98
PID 3692 wrote to memory of 2632	3692	chrome.exe	98
PID 3692 wrote to memory of 2632	3692	chrome.exe	98
PID 3692 wrote to memory of 2632	3692	chrome.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-05_44862de5c3d7ddb7a013feeb92082fed_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c04b9758,0x7ff9c04b9768,0x7ff9c04b9778
    3⤵
    PID:5000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1888,i,295361814559973270,14092786430372361524,131072 /prefetch:2
    3⤵
    PID:3932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1888,i,295361814559973270,14092786430372361524,131072 /prefetch:8
    3⤵
    PID:4468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1888,i,295361814559973270,14092786430372361524,131072 /prefetch:8
    3⤵
    PID:2632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2748 --field-trial-handle=1888,i,295361814559973270,14092786430372361524,131072 /prefetch:1
    3⤵
    PID:2688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2756 --field-trial-handle=1888,i,295361814559973270,14092786430372361524,131072 /prefetch:1
    3⤵
    PID:4832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4632 --field-trial-handle=1888,i,295361814559973270,14092786430372361524,131072 /prefetch:1
    3⤵
    PID:1788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4808 --field-trial-handle=1888,i,295361814559973270,14092786430372361524,131072 /prefetch:8
    3⤵
    PID:1576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=1888,i,295361814559973270,14092786430372361524,131072 /prefetch:8
    3⤵
    PID:2764
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:624
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7710e7688,0x7ff7710e7698,0x7ff7710e76a8
      4⤵
      PID:2156
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:2872
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7710e7688,0x7ff7710e7698,0x7ff7710e76a8
        5⤵
        
        PID:1400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1888,i,295361814559973270,14092786430372361524,131072 /prefetch:8
    3⤵
    PID:1936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5184 --field-trial-handle=1888,i,295361814559973270,14092786430372361524,131072 /prefetch:8
    3⤵
    PID:1876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 --field-trial-handle=1888,i,295361814559973270,14092786430372361524,131072 /prefetch:8
    3⤵
    PID:432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1040 --field-trial-handle=1888,i,295361814559973270,14092786430372361524,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3592

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3016

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4272

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2052

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:468

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:736

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1296

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2696

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2096

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2988

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4792

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2648

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5284

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5376

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5496

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5692

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5824

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5924

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6040
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5404
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4bfcf553715b8e2a96cf8b3524b42837

SHA1
1f1d8c36d12d6e08fcfee1b5b305650a7adc8b13

SHA256
6f54f4f87b4628a40f1fa97c1c759185d7f0735d6bf1e09ce58c3d0fe444436a

SHA512
4cc5092db95b8c9000993f93aa0e3ed91bdfbbd3116ff2708b58c018bff0573c4ce101b271a90b2f37ae837c99f63e563407be29eeb9e70a540630201be93b4a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
21a0025c6406c9b98a1bde0f34cae4b5

SHA1
5ea81ab6bc2570db5aa7d4228dae530237a4f0e3

SHA256
533012c59b0799893690bae4d52e34a35dd47fc873403b66bee407d485ac2048

SHA512
88700526c04af6e03df5e10cd2a21f8066baa1e0594cb10b7c563491b2234ab4e0b4384c623d7aa62e72c380f865f510c0ce5f6ca2929b56ea37f094e8591b1f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
6b6806b925c6c06eceb8f972e7d30e6e

SHA1
292ef48760a060a64a3da552664b7be267ede836

SHA256
e49f99a461ce49d419dee0e3df835fa2db10df6f1ecf907b7af0bc4703860b3c

SHA512
17ec09ff8ed630dc17fc82dbd06a80f33a47b126cb3da81d6b02a8b9a0cf85d8394f18d9e8c8c330e6d6b0eab04e72116a606c6983defac0ad8336ed9e42f65f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2bb07240e49b362e7ee92cd69ac8c230

SHA1
c0e94bc553d7524295bcb09005021ab52be107e6

SHA256
acfe6e0439079c9dcfa3cfc81fdd0a1c6558f3972c8e70a7b41700f5b7d716ed

SHA512
6e38330104495445538a4578da63d6f77ee1cdb0a1c19f604d9dc32900a76691e831f27fa4d0bd94222a69ce64c06e81251a359e8a4a19bcd44affa6ad12a307

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
60f98e169444776d09b96d85b5a95a00

SHA1
221ac79f1c7c0de2b1fe1a9a1e6029d61aec2814

SHA256
19b91120e0cf99804824866de1d16b9c28caf474dc276e552ac0d7a2d24fe7d2

SHA512
03bbd86430d714174fbbcac62a6bd0e3e135677aaca9f78afbc85040a67f4d444759a16ba9988f4779e8fc55779d01fa758385564289c1d56621139f9ed3d1a5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
1f71482b4edb5d9128ecd2802e3e785c

SHA1
0d1c53187ae2178b11c69b2913251df1358df517

SHA256
1f18af2e1e2585653b9266d0f498b8a7c86c43399bbce469059758a8efddd904

SHA512
2b428813151b7ae2436bc4397959b6575ae9dbecf806a850a4d17a156c53b7ade2eab89402cfe4e9b3f14ab9a239624dd07648e2cc277aed985d0de15170af9d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
988165467cb3915ca935e2d27f78adaa

SHA1
48ab88cbda12d13e94a3b06c5cbfb302765848b5

SHA256
733c74b38517bd4887916be5ac8d5543d88e9a7b0143105f52cee0844a0406dc

SHA512
db925d04467b09dc152cc79313de38dba100ea8de0b33a951639e114521470bf14779d5b207f57d57cedcdb5e0e81a206f4e81163c23f363543eb93990da861f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f3ffeace6e20cb1da3469fb3e3611fc5

SHA1
b4ba6baa1fee69c0ec2cc5dbe49f385d03c3a76f

SHA256
d9d526472c8612ae4cf7b1425fbd901c6ce019a612ddabf17ececa5089c3b9dc

SHA512
b07b51230212a8c01278810eabeae393e224db9b9342089e73f5679f8848218c5f3bb09b33fb68db4840b5bdfc48d0f9d8af4871404785cf97e019f4f6347f74

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
b8287758f816901765fc35a530603c38

SHA1
735286b7ba0e52d420bbcc629e77fc17bf239a0b

SHA256
7f31f3c23e737bf090bb02baee1905b1f1fc9bbdd73368b584b95df743827feb

SHA512
dce291190b0e3c40a3c21def79c1c8be8866de11069dc4144da7032b04c0d8554f9b87afe0e24190782131e4bbb33423b0ed2490abbe1a04e4c84f6f0acb12d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a89f9f47cfc413b94bcb919501c9f7f7

SHA1
6520ec676dc9fc0dc7a45ca482922cb46a7251a6

SHA256
313cc67087392019e2fa4efdeb72bc947be67eefe009ca7e63a964a69c1602aa

SHA512
5bd985e850deddada041e14ab003f3bfdf95e0bc3678b1c924eb26460c09a0015b51f80d58adb00e5399b90c08ffb177fe259745792a5a320de1f4b893cacb21

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
285cb2ea6690c828932fcc29d6ae0e5b

SHA1
3e6c72ba8bc38983f57054e80f3f062d64235b7b

SHA256
ecac78c5e363088992c8a664910fef0f66038911b61f2a9dffcaf5b5893325e4

SHA512
3e3013aef075cd5350d0d7ff793dcd56f442b79a6a3ec899d6405d86e829e3c1cb43213f5c4dcf3c05bd935e4f783a76b5cfa2b75a51866ac35e4cb0bac063d5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8be0ebc712041ae2e6ffb54ffe9c7439

SHA1
c056e3dcfddd72089c73e17e84450ad0361646b7

SHA256
8d6bb9d5ba18e312e9450a2fcacaff7d259b0b9f2b68e672d6016ccdaec3d973

SHA512
cc5990dc6a745897db11279b3e51f4bca6542f772ae4a8a7730fd2c0cd58a0301707bc40b879e50217375b68776c16423981f5e426cc7d1ac18e41ee851519ad

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
ff42a53819716641f07e1b04e481dda7

SHA1
36c978e9084aab1b63545d316a6a4294b01a909e

SHA256
2ea2d2ef392fb6fa6da3bc7fcdc06f8086d33c6413e75783f275e73a5e79883a

SHA512
8fb6aa57f3256b6b852df0fa054b028ff4efe29df9d04b6028d2e2cfbedfd0dd1020af5d2491cf5b1857ef4e9a55bbdb35ae4c83b732a39c59f6a554624a499e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
5f0075b2238772e91ca4c046bd0f14a9

SHA1
87ece656d9b856940319e3741e51acb632929db9

SHA256
6ab9274e0ec22ee64253c9c4700d92fd2e4dc5ede6e81286392ac0fe79cde9f0

SHA512
a83f10f042ae8475a3bc7db073bd2d44193bb5d6e2f2d3e954c505a5e0956ebd4918d8d2ee1947ef47bf8401747bfb36535863ef0c51a702732443aec1487d76

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
1b9b6cad94f991a76825deeb7b919f43

SHA1
6ad23aed867c34bcf10f9b06ed1a999621ddf818

SHA256
d782b33787e66332490bcc41936affbdcc282185d804b1e17573ce54509096df

SHA512
d75a6bc07948215b1b98c64db928763b22d664f02c20b11f57a651769ecb3dd29f5e7392dc4aebee962cbd5f53ce8647c5d64bedcce68a2ee0313fdaf34f9b11

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
04689b263b7497088ed9009b0fe8d8c9

SHA1
d4d1bce40d8fd40ed6f2501edb89eb280416e943

SHA256
1bb3d54a0a37d679d73f9284fb59f886c95073515bc7b032437345c2c10421be

SHA512
78b9cf69f8dd4f0cbe9733f7e1d293995800a55ace12fc1fde8f41594f25e5180936083099012958b72ce2748c508990168701250047f0500fe8f6ffb52a2055

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
63eacc64938a113d0a385ac9516956d7

SHA1
dcc43ba9ea7d7393f58c6d953971b5d29eb0e4be

SHA256
a307fdac8fcabdaed49e82ca6aa6fdb2ba2a3c77f95e1f86681c095696e81fa7

SHA512
41a86400f2c865c0c92a31528c5d16a5b640574399032b86de0dcb37dd8847dca94cb6eb229f63932ea8d9b74f276e8b408c360db6a752374f324775aa1e2dda

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
641c5c4610dd353fc002a691c1035293

SHA1
7e1ae240484941a7bfb82ee0a96d7dde5295642d

SHA256
bbc80fb19c0ea39eaef187d54c33bee93335b3f956b1b067dfc0f13f0a59cf87

SHA512
2ec99c4288ecf0448743e14f9ee29ea142b8cd2f002a6df4a6429ade335033e77a3e1759b2add1d67e0ebadde3c4cc79a03c427d8bda9c429b902d8c59e07f0d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
099d6fe70e4ba89fb2e8855a48b79946

SHA1
f5af451eaa4c7e226454395c32126843e22e91a2

SHA256
031a4ca648944f0de9b6231c4486ce157c37e43ac382b1b0b069fa56d7ef982d

SHA512
f61adefeea60211eaa8b314b999fbb25c1fb3736aa9512bc4440ef134653fdfde02352cb655a68577efea3ad714abb63919ca2f6c279642d47dfed0406278a81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ed934bb42e908b65468501ef47d375e7

SHA1
449eed75ed041b4301ad5049fb27f526f8e620e5

SHA256
a144b757ceaaa38b14001908e4524269736b30e4ee3548883f2d9c1f403f14a1

SHA512
77ae06736592a690a229b57730b2f4abb4d924bcbeb5c67a60f424bb6678fcb72f1481154018ca60603b246bdd10933952bb1324b76b7b1649d9b79795919cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9a73dd386ddda8be3af246dc31caed60

SHA1
445824abf683f65df7df0ea35f6182ef5621c532

SHA256
931170de53cf29c88b0f46ef078edf77b91878517e1c224994276c1309b9fd37

SHA512
768c41690a12e945af2e2e06f9b0646fa3fa59b25f5a26254a0b97242828edf93051cb44fbfe9fd1ce87ca540d7a10b29ac6c31d46c1e2a5dfd7a4cda776de87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
b2d4be937b86524c70eb4133f11c5674

SHA1
0970768b094e19a4281bbe6b70436dad71e7cb97

SHA256
80bbf7dd8f0ba8e7e2904dba7202c51af8f91acb3727f7188e5a28f1e1bbd8e3

SHA512
534f70485e75e1efc7ecf7679dab136c3d7c7c2f5646bd61af55d29d99de0088a8905bd26c2dbb1abce0c6a54038e6df4f5e8e4e563377e79c8089d5aec06e60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3fcd885d9f50d27009fa8f2de556d75a

SHA1
8cf974d26fd97d1aae3ffcf04fd032cfdb86aa93

SHA256
e5dd9b408320af6f7f3ee979f32502c247077baeb8beca89c0db74bad82e3abe

SHA512
f1c8e5e3d794c610613eefe1976eb2c88ac778e86959007d7946c4a0e30ecfef14c684d78bdea97dcfb13746f818a2e6aa0855d235147e730a83d4d91bba2408

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
fadccc45ba46a7d6c2e5650d5639dabd

SHA1
96949806f03d37b1f09f46af64a74c3fd1bca193

SHA256
bb399b2faee5ad18f3bbe90248dd4ace449b0a5657dcd11cfb5cf38542507f41

SHA512
4beabebd887f68aecb2a8ea8764ebf29a63d2a0dab191f204d39553c0c13e6803cfba3a4fcefe7b75681f40d702f59795a300012cecf63dc27518147365e94c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ae3eb60087352b90154b87d785ea8e82

SHA1
a57aec9da0dac7454f1316b1cb2cdb0dcb97e1f7

SHA256
0357ece2822141372116fdf1d8506de50ffad5605b339f08c80a3f548b476310

SHA512
e103b22fe4b57970d61e888dd9e685d93c0c30e8c9db4511f17223165926c990ba40e067ccf995c4706658ca1eb8ab3af39a77aa0e3bef1fadf8cea214c7f02b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576f83.TMP

Filesize
2KB

MD5
96369edd1a4ffbe3b82168be4cf74b6c

SHA1
b3fcff571d5bdfa454dbdba1993921f374561acc

SHA256
99957138c3a3b80e8db4d353e5990f2d0f9dda00f16402c4c918657c7c155c61

SHA512
702ea20ec2cc6f6b526759ef549c9cad339c69ee3d2c3c2e7eab8323273049d0ce333abab50e4d4abf860389c417c5e88a526a7dfd84c7354b3e3b868e999d35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
322005752a50fcbab9aae4d378a5ce9f

SHA1
4a66bce0445bbfdeda1c63b7ac49db84d6d575ca

SHA256
24433c65faca8d9599bbcf66d41ed2b128793ca41e3618709b67b9a0ddba3732

SHA512
f7b56b866e41fb9112b890fa3b2d2279af255f0f426238f32d890bba2feab18396a3de002ebb3bf8e26c70b0221afe38cff4c796d9a55c7ac4773d29c70352f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
64d82b511c775524aceac0a857634cd9

SHA1
0e2873034e4be6cf97a90ecadfd5a43a2cb9d7e0

SHA256
53a5dc426be80ad03f818269ad8ef01cab99b9a67f565eb258978a050e15cccd

SHA512
542f57e46b45dc7d8e7fbcd195865155dd97ef6e7a7ecc0b4dfa50fefa64fff89a687c72ebe9dc3acbc6433d3aad0a1bba575ed274cbd643ca1b80df2d448950

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
1c4460eada8d97b0b3190976656360a3

SHA1
39cec787feaea78fa4db8fb7baa021f872436de0

SHA256
bf1ec8bb2e62680b4243d7c6bb538cd6d5a7ab99c8813888c5d85245baae4bb9

SHA512
90e85e24f3e4d844802a360e88766f2c1cff9d8906b7b101f39e49874e0cffc4645928c68fc32e1171841f6c78a29a6dc182cd37d575d82c36e9871a516c3ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
37450eab3e1fbb65d655dc54efad4e1c

SHA1
14730e41b3953a09f3c820a44ec4491119b4fefb

SHA256
3a4324e9f3180c9715038309e08a6402aff7384dbff60900c7e230bce0918411

SHA512
0b5f49943615e0f4b618d208015f3a27dc24e4e98452fc14bd6f1c43d2d43fe690266794a00aca402419e0af85ead7cb8bd7fb971a42172cb801f15956d91e8a

Download Submit
C:\Users\Admin\AppData\Roaming\4d1b2be1c4fd1e7a.bin

Filesize
12KB

MD5
b1ee4ee61ccff819128f333b68b041c2

SHA1
71246996c2894dd88b51dffaff38056b8dafed9c

SHA256
ad297621502e0e7a61e6ed799f6e19f37f981f1d7d3b7678a6f961033f93db37

SHA512
29fbae1e9323f568859cc55d9297323326e5b233b1d63bb4f06d5c3e387a784b63e75dea7461f559d3ecae74410aa32db53ebac0de68841b2ac59064e673113f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
774854cc12128e52bc7392822afab3c9

SHA1
9e9c86b09f8631a3915409fe2ee445e5fb84c608

SHA256
d684df6d7d22db812b515d7215f6a075c2481467720d97b0071c272f87bd9c6c

SHA512
fdf9e5286f055a02b6d59d76831564f5a7a2ef3d883f6239d7e5e8d5ee5596e7cf2eea14ae464a1b8f27da9beac09b416ed0ece59daf95b8c00b4a9ba7a19a0c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3e28a03427577dc41333e993f4dfdb14

SHA1
47da993fd9de519dd9dd74b19798fe1cd7a4c4fe

SHA256
cbe8fc40ab98e18025675ea5d1b53f9f144165614441f0775ba7e67f13894b22

SHA512
7267e5abb5ab0324c92d62609c141eb17bc41276b199752c876373f667923ccb1e02201d1ee52a8c5b7314d7ad391b6354eb8d17280f25adec1845219595d537

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
3ad7c131a1a7b203535a9741f9a070e7

SHA1
7a1a982720e715b3ee46e498d318c657e70fc778

SHA256
056707e0c9b10382eca991317580ae4c4d8724b77fb58456a717b7ea815b4414

SHA512
61d0494e0e994cf8f983e8fe83c7fc8275cca1b4103b7403d58ebe32ab42fd28bd4d962b56263dcafba6a1195d02b297326383696295dacbf6f7655831c11beb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3ebb87c7a8e4c2fd22ac259ef0ee4c33

SHA1
4a00b90fb9511f2c00ca43e1f1fdfb8b6bfbbb16

SHA256
292342e8b518c7525d057d86744aa38ff0c71ffe771e24f95c0b45d0bfbb3f9e

SHA512
1110789d21f41043d5f62d580808dd6e12843beac2856a6f41294c7f9aac8f74645d26f6f3a12cd53c3ae745dc9e35e7100e66bb45c5afc7700ddb432cc22b71

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e1ac2673ff55aa7756cd942b41b5abbd

SHA1
2871ace14021382050cd947372208039a68fdab3

SHA256
0d21596d5c7eca9b073f7808b194e25b3d038f6f2ffb539028fe99e91027b08c

SHA512
ed9ba82e4f8f77f1db4db73d90153c0a8c6cfec85b44d6b7f87e7857d219d9423f6c58cb5d1c15fba68bbb4437941b39aabae4daa31d9039d3b75f6c84d47749

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
0496968f9fcc814cfec875f546dccb9e

SHA1
35d4d243066c437c4cb1c928bd55d16203168b0b

SHA256
fa4e4429de625cfdb760736754b7fd3a7d052ec3656dbabb848d0c6bd34dfc7a

SHA512
31954bbc22bf9a6329902c524922da143a3c325aa32337f145a8734279c055b3ed349d043e16b6930958ce9a01eaa49443bfb8463bb28be2ec85c1951d57519c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
920267e2f9b27237c4d1ce674f947abd

SHA1
7914b58163094e3740735408c08e87eac6376f45

SHA256
24347c7f4d441c1bc96964a78785ae0a9a38821dd60531bf197eb45175c7d3e9

SHA512
e08641f92ec659477e139cd616a20cbe40e116b328f8f5383021a2b2b8a04ee72530477c496d931c5e63b0d5b3ea29ef37a4eb857de1c0bfd3d0be3f69cdd7eb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
022ff0c3d50b746b2ec212628ee55733

SHA1
13d34ae4a18a0dbc8f8ad18e517792ca57f0ef6d

SHA256
a9bd2c8469cd8687afe6b3fe3c7682e1eda3de2bf8f0a27af5141c75ad1f9b28

SHA512
c0aca4d902549254ec78937804ab4dc8d278b3295f291ba675d03f7a027bac08193f5d2436878b1c9c64ccebc57262352023a20819198a807189e909e4da0282

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2e6cd16626cb837a4b5379e2e1e9bf34

SHA1
fd908403f4a0d73fb84078223ae1fcb1d57b1a35

SHA256
aabdd015946cf280b50e165620bb2df10ff86f58905427192281ed3011f91291

SHA512
cdc8e1f50af8acc941d833d59aa08c034463d29b3bcd46f93baf1c84b35237b955382925374d08508bd4ffde8f6e88ef8d780eab9739bcf6a327cd6a4e638a05

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8a9e3d09b48300efd04d7fac648dfcb0

SHA1
aec31be471aac0730e57abe638ccc48441d9da78

SHA256
6f5797793886ee8ecc742f43eac97960179c9698d46492e979ea4f5d4ebf66dd

SHA512
e9648cabed6c2a81578178fb9567fe9ef105b671e67f367886b2c0cbe662cf88d77c57c48aa870ef95d95d3181234358a15b94a48b28cf89c1551074d59f3df1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
54ad37a1bd0e040914348b1c5b4461cd

SHA1
5908e404d2b85cee72176ce83f26877f8268fb76

SHA256
b6630a24ee5b0efc4d17d9ff9c9ebd18407438d853c9ac1d011568a3b49c4b26

SHA512
213eafd7d0ec00055af32fef57860752d35fc92bb1131d6576be0c75512cdc2c2296c99995673dd8fb08a4de5034241d92e9a1b99aa6f99fe803a799af633139

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fc8cb47a0ddf3a965fb7d2988cae89fa

SHA1
62b10bf389b52aadeb73d6d11a95ed2ee18da13b

SHA256
36524c50ad7c9e51f4b4a48ec6165d32de1a26c7fcc44bf371e9b07c9a807936

SHA512
bb7cbf6aae427a7cb4604f44b18e3f39884f87d2a680697803b5c0e88a09ed4effbb3ea2d651240361a31a21b7c077330c5d157e16a1adbec6c7164b2830702d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
0eadaa5f1e3f5c94a95f030dbfdad6cf

SHA1
3f0be922955a6bb1dc6403213b206930ac1b7bc8

SHA256
a00798747219c02dc90bc5c9db29462f5aa847c3cf83a90e71ee02876fe61d61

SHA512
036b579076cca61041a3c2f9e4ddddc093524d985a6c4110134dd9773dd104dc75d7184d3dce5a32ee56f2250f48489f37dcc6431fa02931be7a62367a39161e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
5f61efd944250adc575a5a537eda4a89

SHA1
8941e489e4c30a6038cc82e2a39227126ffa045d

SHA256
24f88d32d19b3dd499f78407113f10c7d1127ff77b3e88aa56b3f130a5eed5ca

SHA512
de67364fda91ee9f98c0677e4e0dd0b92d1a0fbc0a03c49668f9034321597d2474fe0f5b3f5f0d95fb6f1af4afa629237d12a934dcedb27f291c7d1b077c071a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
1c730f3b0717e7bacbf24d112a6ee9bb

SHA1
71baf1e4fb471162cc3cae26fb7c6d9403697448

SHA256
bccec37c225d349feefb3e88ebf0037417014e2afe1b544c00f38e92478b69cd

SHA512
40c26a40337907e60c3b375add69cd120f6dc3ef6f656c542b1901e26497305caca5bffadfa03a09c25403acaf6743975ddcbc1841be75b51aee3955707f3e45

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9e8e808dca74465d16d0adbd9c7fdcc7

SHA1
9c612698ba0399eb5b3ec779c49bac0a1d335b07

SHA256
45f3104b20e964d73cd8cda7bc8ed0b6115e0649f69f84db20f95f6f899c86ae

SHA512
b5a83b1e3a602d46af8f7d94354a7632e21e06f3ef0365c51ef97f92eb021a95490f6ee7bebab60530f9072b9130c4f4a31d26f6e901c7c564b199eb00de7bff

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
a2706d08680d0d8d0335dff3a373e37b

SHA1
337261e9e0fd2c513f427203611429d8f8d6d549

SHA256
4bcce0a60027100a2601716d7357a171736ade762cb6dd79fe3a2b8dd860e6df

SHA512
f44c95f06ae7eddb419721c13daae99c80112a246bc4e9bee03a646d83e559874175881fcfe16f4cc5b7271a66403f8ed690fbab44540786452f0fbe559a02e6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9a55105ae517c62f4b62292d49ab0bb5

SHA1
dad987f64a608f27dd1a938cc03657d185c44ee3

SHA256
dcec21caff8cd38826e898d25c57625324387809923b530ebb8bfc4e639acf21

SHA512
84a995b37feb865d0423f9606ab2c100e8d889d1456aff204649f7728ede49fd0d645e1c5f3addd2648221c1f63b9e073a5cf81d9d57d4a378b14a503da7a887

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
2100de2aad08d29a00d3c437d14c3e51

SHA1
36f743b567967691732dcc12be982ab5af66dcdf

SHA256
7f178b514e08273f35498e058197130f73ccae9a935c71a2c876973b8922b33f

SHA512
b391cc0e4803611ce3e2947e7160d43b417dd94aff9e607952b434fa1973b49cba10462a72b620a4bccbdbdd6ccf3214a782324e809e57f40df4abd65a249f36

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e4ea6f2481ccb4f3f6d2d5b8dc6e3369

SHA1
f8bacc5b446ffaebaf8fb211fa2dac3663c5019e

SHA256
b4306457e46d4a15c21896ca1da67bdcd080762e80af09be9185468e9e4fe686

SHA512
7e78f23d0145073f8e0a8cfd37ca301b9ae6e7755f4de42352a71f3af3b01aafd9a532c84775bb2f4be39edc06f7c94e01602dcc9e892a1f60df4138b255913d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
dbe2b516dda6e8c6464d42668bc39c7d

SHA1
1a7bc15cabfc59cdbd7de522d575c0763d33a7a4

SHA256
c6f3ebc3a495f90c90dce73770a56cc39d75a9c5ebcb78e58e2b2dc8d6baced1

SHA512
65e291145560968d8d9333e123b71770ebb911a1e8dc67bde0dcf54f46b96a2a71a7f5f4dc1a7f152446d18af09836d3e04889c8df2dcfe00c985f75f526b25b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
cc67a23c0dd88b8c4bfb03c66f621245

SHA1
61ccce921bf88dc2d7a8b0252aeedae2c6d4d836

SHA256
8ffc35db3fc891542ebc7e83bc9602a8d0e1bed0eb4addf574db071db7ed96f0

SHA512
e12baf41a66019e558ceb90a694384aac3066ae78930ccc9b2a5909882089199261dd64ee62e61cb94f2eb93e60ca0afb98fe3b725d7f1c0bdee4479935bdaea

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
f6e4f4ed81e2af32b99b2ac4fbbeed7c

SHA1
e2140cebb7569eaf6f783e2d57ed65c4fd31e309

SHA256
cd20a2ff76e0d656a3db11c62c774529cb147570715272d32e42a6012d99318a

SHA512
0e415efed6cdc84f822694b9847e8e17aa5b1b4641353f86d0f0ae0423e0fa6eb2357d0fc07af1f0d536843de59de485ca312bbc081d291b0af67f49748798fc

Download Submit
memory/468-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/468-86-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/468-107-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/468-89-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/736-113-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/736-114-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/736-125-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/736-133-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/736-134-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1296-217-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1296-148-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1296-138-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1804-46-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1804-8-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1804-0-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1804-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1804-40-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1972-170-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1972-177-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1972-243-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2052-70-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2052-72-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2052-123-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2052-121-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2052-78-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2096-193-0x00000000007E0000-0x0000000000846000-memory.dmp

Filesize
408KB

Download
memory/2096-268-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2096-186-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2620-23-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2620-85-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2620-12-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2620-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2648-257-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2648-246-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2648-327-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2696-155-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2696-230-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2696-165-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2988-219-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2988-224-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/2988-296-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3016-108-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3016-19-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/3016-20-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3016-31-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/3476-53-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3476-38-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3476-37-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3476-136-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4116-59-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4116-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4116-65-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4116-79-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4116-82-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4792-237-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4792-313-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4792-322-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4792-232-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/5088-285-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/5088-211-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5088-198-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/5204-271-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5204-280-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/5204-340-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5376-287-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5376-293-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/5376-353-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5496-305-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/5496-310-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5496-299-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5496-311-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/5592-324-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/5592-316-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5692-337-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5692-328-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5824-351-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/5824-343-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5924-355-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download