c4e547c77cb6e20d610d3894d84d06f2083aed63a583b8e1a551f97864a3f93d

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 13:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
Size

5.5MB
MD5

dc921f93801b09bf6b2e76c78d19f883
SHA1

a1716135b3a22c04d2c974cbb5871985eda2b807
SHA256

c4e547c77cb6e20d610d3894d84d06f2083aed63a583b8e1a551f97864a3f93d
SHA512

5f57be69a25c13d3c70d67366b9ad170d4f8f0104758ca02d3dc072db6d2e9269b205a6419e8c6eb62a886e98556adcc43578e81071a2a9e1945c1ce294f0901
SSDEEP

98304:oAI5pAdVJn9tbnR1VgBVmEU7dG1yfpVBlH:oAsCh7XYtUoiPBx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4864	alg.exe
1512	DiagnosticsHub.StandardCollector.Service.exe
1376	fxssvc.exe
3140	elevation_service.exe
4780	elevation_service.exe
5152	maintenanceservice.exe
5388	msdtc.exe
5584	OSE.EXE
5712	PerceptionSimulationService.exe
5808	perfhost.exe
5992	locator.exe
6068	SensorDataService.exe
5244	snmptrap.exe
5580	spectrum.exe
5136	ssh-agent.exe
6036	TieringEngineService.exe
3628	AgentService.exe
5188	vds.exe
6256	vssvc.exe
6380	wbengine.exe
6512	WmiApSrv.exe
6680	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e5094c2a8642d83.bin	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120515\java.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120515\javaws.exe	alg.exe
File opened for modification	C:\Program Files\DismountMove.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048c7853afd6eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd4a873bfd6eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ceeab3afd6eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000792f2b3afd6eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3808	chrome.exe
3808	chrome.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
216	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
4924	chrome.exe
4924	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2992	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
Token: SeAuditPrivilege	1376	fxssvc.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeRestorePrivilege	6036	TieringEngineService.exe
Token: SeManageVolumePrivilege	6036	TieringEngineService.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	3628	AgentService.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeBackupPrivilege	6256	vssvc.exe
Token: SeRestorePrivilege	6256	vssvc.exe
Token: SeAuditPrivilege	6256	vssvc.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeBackupPrivilege	6380	wbengine.exe
Token: SeRestorePrivilege	6380	wbengine.exe
Token: SeSecurityPrivilege	6380	wbengine.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: 33	6680	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6680	SearchIndexer.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 216	2992	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe	95
PID 2992 wrote to memory of 216	2992	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe	95
PID 2992 wrote to memory of 3808	2992	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe	97
PID 2992 wrote to memory of 3808	2992	2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe	97
PID 3808 wrote to memory of 1608	3808	chrome.exe	98
PID 3808 wrote to memory of 1608	3808	chrome.exe	98
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 1372	3808	chrome.exe	105
PID 3808 wrote to memory of 2776	3808	chrome.exe	106
PID 3808 wrote to memory of 2776	3808	chrome.exe	106
PID 3808 wrote to memory of 4340	3808	chrome.exe	107
PID 3808 wrote to memory of 4340	3808	chrome.exe	107
PID 3808 wrote to memory of 4340	3808	chrome.exe	107
PID 3808 wrote to memory of 4340	3808	chrome.exe	107
PID 3808 wrote to memory of 4340	3808	chrome.exe	107
PID 3808 wrote to memory of 4340	3808	chrome.exe	107
PID 3808 wrote to memory of 4340	3808	chrome.exe	107
PID 3808 wrote to memory of 4340	3808	chrome.exe	107
PID 3808 wrote to memory of 4340	3808	chrome.exe	107
PID 3808 wrote to memory of 4340	3808	chrome.exe	107
PID 3808 wrote to memory of 4340	3808	chrome.exe	107
PID 3808 wrote to memory of 4340	3808	chrome.exe	107
PID 3808 wrote to memory of 4340	3808	chrome.exe	107
PID 3808 wrote to memory of 4340	3808	chrome.exe	107
PID 3808 wrote to memory of 4340	3808	chrome.exe	107
PID 3808 wrote to memory of 4340	3808	chrome.exe	107
PID 3808 wrote to memory of 4340	3808	chrome.exe	107
PID 3808 wrote to memory of 4340	3808	chrome.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-03-05_dc921f93801b09bf6b2e76c78d19f883_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb77549758,0x7ffb77549768,0x7ffb77549778
    3⤵
    PID:1608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1868,i,6494410970762643109,7293944825962853840,131072 /prefetch:2
    3⤵
    PID:1372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1868,i,6494410970762643109,7293944825962853840,131072 /prefetch:8
    3⤵
    PID:2776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1868,i,6494410970762643109,7293944825962853840,131072 /prefetch:8
    3⤵
    PID:4340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1868,i,6494410970762643109,7293944825962853840,131072 /prefetch:1
    3⤵
    PID:1580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=1868,i,6494410970762643109,7293944825962853840,131072 /prefetch:1
    3⤵
    PID:792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4600 --field-trial-handle=1868,i,6494410970762643109,7293944825962853840,131072 /prefetch:1
    3⤵
    PID:5264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5020 --field-trial-handle=1868,i,6494410970762643109,7293944825962853840,131072 /prefetch:8
    3⤵
    PID:5216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1868,i,6494410970762643109,7293944825962853840,131072 /prefetch:8
    3⤵
    PID:5528
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5540
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x218,0x244,0x7ff7631c7688,0x7ff7631c7698,0x7ff7631c76a8
      4⤵
      PID:5488
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:6044
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7631c7688,0x7ff7631c7698,0x7ff7631c76a8
        5⤵
        
        PID:3592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1868,i,6494410970762643109,7293944825962853840,131072 /prefetch:8
    3⤵
    PID:6092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3956 --field-trial-handle=1868,i,6494410970762643109,7293944825962853840,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4924

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4864

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:684

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4780

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5152

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5388

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5584

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5712

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5808

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5992

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6068

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5244

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5580

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5348

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6036

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6256

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6380

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:6512

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6680
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6336
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4500 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8
1⤵
PID:6768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
704KB

MD5
a7539f7c1d44745c5f44ec2054c79cba

SHA1
6251e8e59f74334e5802a5a212b81094321e43c5

SHA256
8375d6b3e1018b75c90e8ef9c2fe1b1744811ec7ec2223bc8514dd30f6321a5a

SHA512
60111d599879767934636c44582b9480bb92f5b1e36a60136f4840a46a005ad43ef05023d1873fdb2b08fc3c7582ed9403bdff2e84bda928c06180d35d37786d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
ed3b928716313d5c5d44cfe0bc9abadd

SHA1
951978ea33af1b2b08f589af4012af4c20f12322

SHA256
b0fcab08beb4ea85a6cb0eb3d0e29b1288dacee322f561727eb5c78f79f7ef08

SHA512
530f8823f70382f74be207cb04374600579735e4a580b7a4777c6e240836013491f1a2e1f5b966e21ae945ab0f478b859e112a81df04639eb13dfb84b3f20ac8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4eb48e8557dfcc04bd54f4e258a0124f

SHA1
1e9bd7838ef1d5906ddeff54d33f55151136e1d4

SHA256
0ba0e9e740d07e7613e2acab01f95c0ef615978ba94eb161d35d6d4b32f528bc

SHA512
68079af69adbe532a050b24886e17d01367a5cd74cafa70065143b26526491afc09ad9b64c4e69f20e3fa73cdd1721cb52b147f8a875839de00e60690962fae7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a85f60c274be27aece17c9da6205d580

SHA1
9f3ca0394b8252166a703aad38b83623008580fe

SHA256
982d5a2d50fd8ab018f267eec71ac759009ca6ce6f4150ae81bf4c1c9cf1074c

SHA512
75ff55002ffad9ada2a487e97f1f1c1dabd32aabe068e50bd9e24abc9139ec52b30b1f2997771f7e98ad9765e01b5fa59d76bed2afe482961c3a638aa8356e54

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c243d73ae8ca9703b5c2de29d7adfd72

SHA1
02710d90bb0bceb3d03bc3be8d8ae961fc9417d6

SHA256
265cab75f4ca285a4f8b827296e21b7b4158c4817d99a3e2707434812dff756a

SHA512
488ecb376c7a4a6550f1c96c9059094ffa22eb3a88db61b63354697b1eb6ec4774ab35e9c425cf71c18ddac0f1e4c16c3858fa81880a0b2f3ce34f823ea47174

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8c71f0c5069da688f4afe40478ce9bf9

SHA1
f6c1eaf87b9be6d0f3e49e3ef36d132938c3d6eb

SHA256
1cd854b39fa4a38367e159d1c78cdc71e65e3523c35da222d78fa9cee3bb6e6a

SHA512
54903c7b5bf5d23e314e83b22f398a3c83686c59ffa398644e8ebfc7b2c9584817d0d84945636e2a03425738edecbff51434aa51ed13628b420ed180d746c9dc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
af920439d56d2a234b300ef3924ca600

SHA1
7894b10fadab9f6a0f1c22260edf8ed5c75ee1c4

SHA256
b27fdb99b2896931d9fde0a681127dafdf36e3afe8393af22f65d8ab3844c41c

SHA512
b8089c000564efb7f25bd6d7c9d743f781a5156d38df08fad4ff50c391972de47ab69667bad650ed9cd3ed0fe1b49cf0a2d67dc705e024049140c911b1cffb64

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.9MB

MD5
ab7099cbb0b05f5c443ac63e8576942f

SHA1
07dc752a2ceaa631358d1644b091a14b2918402c

SHA256
086fdd13392fd2d29edc9c73662e5d5d1bbea7a448f8c0435eb1c428bd957d62

SHA512
6ac63667eb7f976d1c3e1c2a39b5a4669bfeb93fe8c7a3a20e737515998728809681f12f04c10a09c386b9fb3691293dc9da6d7375ddc37e83541410b7ca411f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
fda67ffc2f369b2924da4670c10544f0

SHA1
ff66207deb454cd520012e6827baba2421784a0a

SHA256
579bbac7a3eaf2fd210b295e878ff2e147b8df1d206b4d42afaee93bd7c80e53

SHA512
2aaf364fea899152dba3694dbf2bbeb6a9d706b5b192b60d3ccb74931427408bb3ff87645e9b9feb7ac20cdb3a8054ceafd917105ddc8823e570225a6469643a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
256KB

MD5
cb5bd03ce3c801e5f9ee610f50351a59

SHA1
5afe0d4d18e842abbb81dc3c2856f02ca4a4c938

SHA256
0a5f1f1fe2ad607de37c9601998d66b81eda6aea90a7ee19b0467fe41546ab18

SHA512
0dacd19311f1975d3ab2f84b84ead1c242a6559e6f1831c68272025c7ccfb5d4fc1758e635fca195133b9a9e7f05347e62b4931c3d65a662834e770f6cba163e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
571ab837627ee4fc6f825ce8a26dbdea

SHA1
c73e6eacf804cadd64b99ae01332f77c651d584a

SHA256
6681fd7be9a3cf6fa8d1c52d7a0570c0b7f544ef6e32f327d8b479f9f3e1bde7

SHA512
25cd87ba43c2555b5901bf1b640dcff0f4050f7e2434d2204c0783357ebe45390a8b33d265874d632f9dfc0ab9a434721d30623bb25450f5ce4172b2a5e4c176

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
95c3c1a389147c3bc128931198f13b27

SHA1
02a7f382eb1ac1ffe352e9c2d5797344f7e80386

SHA256
34a98b99d9255b022d7effd4ee3a8e1b3be67dab8c85911cf988e6ea4c729ea1

SHA512
0501f8df780199185c911b5acd86af57a1ea09f30cdc88ebbc74bdda56a33f64c945eb53a966798363b15b976d4331d1af3189a9e28d83fe15e36c29b3242c3d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6e185b23b8b725d20dc9111903642e16

SHA1
22b54e32599a13ae6ef6b37c910866fa023444b7

SHA256
222d4f10729468f9f46d70d87a11faf2da74e31011abd4f14b9f794ca0cf0871

SHA512
f49809ea16f4ded346e4df0f1e327cd72d4be4c98a66dc6e599eb8ef8f158288e3c96f6ba98258061eb9a5ab895014dd39bda8230d7da083fdb9e74a65bfadbb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
256KB

MD5
36fe35b1c5e506f2cdaeb467aa9f942d

SHA1
cb611a8e724ef780f1e9a9de600dca4a644248ca

SHA256
05e8a34a294b6b2879a931c28611fba96ff8848a3cc8981345ba5bd2c5c9770e

SHA512
77801e58862e5821438eba67fc1efc86d19a624411bf6f12e54bd79e3adfdd720677be6cc3c8e92250894e5ff59663aa8a261f41973d33279c8044d383a06c1a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
256KB

MD5
f43c66257c5deb2ca5d562f25061f2c4

SHA1
b5e9f56394fa27376b31c4974830e02127d158c5

SHA256
12f6ae002797382f7b7f6f07de8813eff97ccbd2243fa1c5aa4b7e0d7f66a1b9

SHA512
4b11a5c35cf481a09757250e4c889cb06a414f692a401b78e7cb4ad971fe39a849606e220bf47de42d8a12d316a8b960970e3d4db624363197873b3ea5d85b28

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
256KB

MD5
8b40cc9ea5927002f0aa9f9798b241c8

SHA1
faf80eb3da0486a6835d7608294e7b32491a60bd

SHA256
e504567f42a820a53c61464c5d84d16e025a2ea9640caa8efe7592cb5ec77be1

SHA512
60168891b0172607341aaa43e82352099d831c5b41d9bddb194d95b67b8d44da7aec64ad9c642ed324c1639f4e87ead3c4f3bad3db2f923160c77ed698768b41

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
946d1cc1d2075e0b51684a998ce911c8

SHA1
3915b5f625b7e65b13fe5babfb35bcfeca2dee45

SHA256
ee093655875888cc4b1af3655b6926de7294990ea34b430b15fc985499add385

SHA512
2387acfd37ef25b757022c6d8cb8bcfdfffc1c0662f41b4084c91302d17928c318ad358f71597e59f15985ea3124dfa6213beff372224a0ef5aaf58fcfe0a89f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
256KB

MD5
683bcd4c769cb45164d6b822332eb922

SHA1
273091e35869b54633a86af8f98684395337b6fe

SHA256
94d69c48987798c116adc6c4c6c63e4506412d32db91c972263ba1fa71c8504f

SHA512
c58a4abfd734d7877d060088d9f4bb9e9a3914ee7011f33c49fc37158c2f53aa286e9373a864b005c3dd1cb04137bb021ad98286d7663dc4045c0d8632f7dcbb

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\3c5541a2-7776-4455-8a7c-154ec85cc7a5.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
256KB

MD5
694121ca460015d8e395dea3dca594ae

SHA1
6ca2c413a811b30243c6bb5dfca7f29e5ba61c7b

SHA256
32d401396531bc6e888826826e1a93e67f74b134851aa2edb59fc319c38f03b9

SHA512
6b57c4cdc127328cac1868f09a6f7bf934a4768b97f54142a1d8d6dbda8d9c72fffd4d9aa5d3650b49cc5bd2d1a027fa6aec1c4a5e878cb4a53fdf5add0c2d1e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ffede12286ee816d05e59e3401550a02

SHA1
c3768a0c8f3e345b93fc3623750afea9f5f9cd89

SHA256
1282486dc4d443f38e26e09b8f6057fb97fa87cb9ab1820c44094b845d238117

SHA512
b784dbc1d6476d27db9c3a153b3ca0f6643ebb8c5d3cd9d2c05d9b6c812bf0c00afa12cd48747c4e5a4b373d713ec5a81cf50cf6d0b5814778843a5e3b1bb2ff

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
256KB

MD5
1da98f69f69d2409522c8678bafdd860

SHA1
c84df07b81532835be4f9071f915aa2add121098

SHA256
75ae6661ef2569c31a19b52d78fa0dcd09ce9c164d2f45088ab48dbdd15c9444

SHA512
a7b2bf6f8369728aaf71db3e29cadd30846144d8862a4f1f23047074ba708d4d5712fe7ac68a1a2ddc0092b9a88c1adfb9082d979302cb4e39bb8bdf84d4aa5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a6af806de53cade9b0e7a6f2446f1ba6

SHA1
d5078ec988045014437eef70437e1243d3c4fdac

SHA256
e1a9dc7f8e1fff71c8ebc2da931c3c254b5a62908a6d22efbe27085db8a9b36a

SHA512
2ff96045a3b5e1adbaba43ba3267c6d03f113bb545af563a3711a998dd5c4426ce4f56f6cb501d2fb670b8b8f5fa71a696797648b428c86ddda7de4c82d227f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cbd0127f993d533e68bf362e1aa3bc83

SHA1
6a5eda6355f6b143a8b4da06c71b88daeeaada3d

SHA256
3007296d44c1f9938562f5dc5558e50357f04516c9087f537e086cd6889cdc18

SHA512
4c17a3aa444f5eb8c8d23ec7b3e621bf5d39f4bb2f74b250a3817126fc5e12c6adc67b863753d4306d6517ac4a103f1c35a212f73c58180b06851c03dc4f05c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
32b902321321b742cc73420044ac16cd

SHA1
913061a415645b30ddea5e80639b3f58f00ac0a3

SHA256
536e1925475f103e58b5c1899f965cfc1c8e6d8bf3e57abf00f41c4d2d9e260b

SHA512
6f92fcb4c37fafeb1bb11c691f6c16f98bb54d8bb5dec11e7586a46486a51a92d0d6a8b1a63abdede4a07e3c17dde21c9213acc309ac382ca4703d059b3ddeb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
5ba804bf52afb208019a432bccf9200c

SHA1
5138bf74024d565e23d27f04738c55cf46f8fa02

SHA256
ad0e76fc1b0dac3651698ef2fedabd391b7aa081f5955cb40e0d45c8c7a19821

SHA512
cda0baf0d74df0e78c575817ef0bd2b0e2e44b1fa18315b71624bceb69f8b28b586599f8368e9a974d863fe122ae6642e3447ba99be754ddc0c34a8687c6d6d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
8d6f493ea4273b7cf76ae872ad097652

SHA1
d2eab01c534dbf10c844a520a84d302ae58463c0

SHA256
4f2fcfcbc16d4501222bc06b5d1498fe8f959618fda52288ab997a0e1ccb2d35

SHA512
a3cee849ace84f2baa09084f2cbeec574dad536422b347295d11a3d6575dfd73d39a54dd9f4349db086f958af12a472524f11f4e3c6260414514c179ba5fe053

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
8b6f5b8e430eaab1e963dba5b2949454

SHA1
5488b9972b603dcbbcdf96e68fb46d007955afb0

SHA256
8a5ac5ef1c37e76599998a2154bd219d1b41666a4da743af1a9c1741fa6c815d

SHA512
0e1d6bd6363dce697404b266d8d0043f1baad66c921d844489178bc45358022643eea0987338e03e1bccbcf51d08a07887d99faa16519902dae50713eb1697f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe579c01.TMP

Filesize
2KB

MD5
3c284274fcfaed236362cd810b542cc2

SHA1
578a3c86ae7cafac8ea2fd1aa785913f2dce853b

SHA256
697eae9f64542c73ab26efd93f8fc32a77e9c15cc99fb60dd3f3866ca8df21cd

SHA512
fc6099cf5604e931f5da5376effd1c720eead4f9398298c70c7746bb25ea66692a2acbc4020cf75754aa62d90183cf032463aea80a90afc688f5687d2aac2042

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e42f03a4be8bd79930f58317b7d5bb9c

SHA1
3795a36fa53e73571f7e13cdc1659f16b362801e

SHA256
19c4a020c732830be0e684249c24dfd2e5fffdff66208d9fecb49c3df22c33c7

SHA512
e29ffae8b629025d9a4cf7c3eee136d0339ea9cf39785a2f0f1597eb5e87cbb67b842f250b68e68ade9d898f9724d3f5f2e8553c48901cdc86739c6475110b2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
c9437643fb8ffb34f70a07fe95930f0c

SHA1
b2d6c4d6155f85d42fba0e6c9c89ba05147b8888

SHA256
d0e2907cd96691c3008807da2fe9057d68b871df8d1a6d66ef161801d6ad5034

SHA512
482b440e07258aa2eea6b981fd4db83bd5aa4e6d406affc9e77d53203cb84e8a2ecf59c75987fb4a1043a4df6341c7fda1f6f852a7b649b40fecab880c9426f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
d952c249b343c29220d3699e92e9eadc

SHA1
3b96616ccd79fd24a14f4a1d18306fe4ef2b24a2

SHA256
b8b9de353a77496e2a673e2f4c01b1245d238bbd853a71c536ddcdcc4b8199eb

SHA512
04207988adfcaaf3b3e1bfdf82f265f426c5e39f57d82b107c0ac1a4f7e5eb0e0e92ffa0baaa9b773188150a1cd4360db7aa8be54dd2e1dcd4b216ced066979f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
01ad86a451b0cce45890669e5a98bcc3

SHA1
c3c75cd3bfa91412906d88622978c9b854ed8181

SHA256
8e448ea8a6dfb086dd35cc8f3910ea8f3bc7d8c2287304488bd443a024742291

SHA512
6d51af88ef12696664b97381722daa7bf49f688063620485ec08d8def01210acf161cea70f17fbd17a4fd7ecb8a7d6953b27d664b70a28dfb8ceebd17e4fa03b

Download Submit
C:\Users\Admin\AppData\Roaming\e5094c2a8642d83.bin

Filesize
12KB

MD5
987aab05208ffb7e290a954260ff2936

SHA1
05ce20a3eb0847db4f0ac68e375cab23ec6a202c

SHA256
dbb0a33e63bb00d86b171dbf68c19aa08c94fbfd3083fad3a22167958d4c67f2

SHA512
a80915505cf2a6219598cbf0639f197425f2a4b171de622d37d26358b362198400f53442ab7836a948f2d630265afd43df3a81cea010d2b2e62ee13ba4976ed4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ef2e2d8e5dbd85d6028e7b175ba1565e

SHA1
99c552d26cc1245d0b1d4dd2ce907f063d7f5799

SHA256
d1e770d9671fc77b656542a668985c155a807a00201817525719fded443b5b7e

SHA512
61929428c8f1d036098a4f477db0855eb089691f6619b1c4581862b92479fc76901185c8a6cfafbcf261658282772625dcd45e42f5106832b1ae7d92cabc0438

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2cc807fd384fb1b02d3658fcf393d34c

SHA1
0d7c6b95449de8e6feafba4022dd38a01554f66a

SHA256
1eb9839100de84be7dbd2b0602fa61ee3cc2fa9c075d100f2506ada0da8ce2fd

SHA512
6c93f449228ebff6e133fc8f3862f26661552569c3ef18781baa1bae7f3a574056f8f17293f76e1866baf8f5dac621fb947e297a9cd79da42cadcc912a9a5b37

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
ce2e721a7d5501b21b7873a505f1e7dc

SHA1
2966fa9a26b39ad4df0872ff0b7afdc43c3b3909

SHA256
eb85bda97c685c10ecd089d4c0cc44600b69cf7734a3f3aeaba628f8f9b59354

SHA512
ca6e76674d2301662b1072250fc2d433d37345934ae239abbe6bc978b2532e1ba84b77f6f3ebe55287d874f542d819fca83db8b2f0737f1beecdb5661ad8a927

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3cca6f7b072c4fb0063841fcf943a669

SHA1
ddbd231f82882cb3aa606caa5aab1ac6aba76c5b

SHA256
e65bb97d038dd575c0b9e7151446e6e3bc011d0baa8da0b45afc74a37f2c7359

SHA512
747dccd98db4b50e4f3df64e2b0bc35532a194a2aeaaff41bef0144fb4af469921e572f030cf17e9407db79b2ca131ad75ed22341fbc943680d3efe200fce85b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8a133d9e05ab65dc26638fb44b6270cb

SHA1
522a3b253c762d4ce11a20006865658beec18d57

SHA256
d9c1c0e5ee744c802a6342af1f1a0b2c6959aacd250226ae129dc015a37fea92

SHA512
0e8a2b16b088cc34676fa23683176403e25c1929675cde19dbbdd387fbf66a26fdb4c0ceb931ecc250b9877fb243c12b7e3caaaeb8e0474b732c31215feef531

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
58ddf90d54636b974d1e7e5e708175c4

SHA1
50d01fcf52aeb6a469eb91a3cad8c7c3c7f73459

SHA256
ea42ab45cf093d8b21b8171989f644ff501c291f5612928a72c5c38c89899bc7

SHA512
4d04766ee6faeff74321d285eb257e81a85953f1374c26a7cf3a19e1a97c354e6c5a1a10f1631cd28567d9e22dfb1b2d8823dec087c4fbf2c47aed40d5bedd1e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d6ff3b2d9487468a772d33d4973b8801

SHA1
2db062c9b6ed8006a6615702bf1c3358309ead25

SHA256
61cdc4af9acbd6da56964da617cc32c5932314a253bb4ae42d5a0c028286d536

SHA512
60e0a929173879cc9ba32f7a96e669ec45f49e7e76d8a0b3f6184081d3ad77f29ca273e94148b239d5faf1b1fa267864f63f2891a167e20bd1a7ea79e62a0dca

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8d1915acb7417925fa4a18f0d18c848d

SHA1
1ae618412bcf90df3650a900f3e8452557870a47

SHA256
2d968ffadff15fc8fea83dcd572406ca052daf4a8288b980a52abb77af2f0968

SHA512
c39d73508ac2c8fa6512bbe3b0221ab98a96a29d17db2025e61f114f5e4304f6c1b55b4ed5a204bf5d7477c5e94ce56469f69ce67f30ae74ff40b628184001ed

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5202e7e16d2240e908145cd7cadffa36

SHA1
44734eab4aa070f6e6b06092d3977bfa75f24036

SHA256
ad6053bf706d290951df33f0e3892af296b43a3e3a54307f110c592ea25f2fda

SHA512
feed869421ffad79fc78d6cadf043f466d0c435ec9bd38c477fba436c20b9c9c1bf3d47c8a842766353a3e56d9f129ad40eb2d17cd6b5d4ba509ceb17101e53c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
51a8b2aaf21fc9bb73ef0602177306cd

SHA1
79b4647f911ff85ea51156f563e5de0ea7c4890b

SHA256
f83df423376a9480063714005105240f110b7d65416990a0590994c1fe1a8749

SHA512
3e0be23a807f67f248faeafb696b6abacf676ebb1b0a5ac3d9b8f45df8b5f2568f971c2204d7329a0c99949c9331a903363f62e91f749c9e95fb6dba8e14bc2e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
832KB

MD5
578671ee666b3096d54374ab2a099071

SHA1
0ed1eee2f2e9e8078ebba944bcb287aa34561c1f

SHA256
63f52f331b599bb1079bf182c8b311b073ecdc9a7cb1dd5ab75e208854aac0d6

SHA512
4f3ad194cdea6b855c56bd8287aec9cd96b20a0560ea85ee4397558d1c64ef2919d738443cd8bdd0c609aea9e4227fdf34107a760a009e5e926045f73242aeae

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e3e345de389fd8385a902b59fadb2c44

SHA1
fdb4b0a648e4f024aed0361d84ad036b432b789f

SHA256
d44aa099078625dd98a6abef3e8dde8e16e1f6a9bd8dd36759ac21cbd61ea394

SHA512
3e31f8cbd9c110461172d25231710837e73b71016b023b31766ff69b7ac3af386eaa9a68a1216fd60b5b67ee7987519b21a311c6e7ca153400875381db165c72

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
0a5f4cc1dc1919a04e455fa6f41332df

SHA1
ba4dc6717293590ae1cfa040854043466907230b

SHA256
cdc5fec0d59cff2de3895bcd8e623fb2dc4494341aac192b0d505c8372a91cfa

SHA512
a36f55469037bc6eb2f7402ec27a1574429e373bd76fee0fe909a36d5e2bb016e7192fc11ceef0ab72643cc37884d164197c0a994823cad21e89b5daf26969fa

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
640KB

MD5
4911c90f182f339d15a919debaef8050

SHA1
c629278e8c711a38bd8a5b1113fa122f365b97dd

SHA256
6d1abce0874cc29a945325447af90b3dd5ddf907a998046d96d3a790b8c2af77

SHA512
9970b4e0c90c73bf25e27174c0262139126be35a42448cdae5f25051ecedc1ef515ff561ae04629e0229471460bc73ebd5d7b577de2537516da060c966ae85f5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d552d791ac37377c84258038185bc1c6

SHA1
fe331a40b2c8518b8b894ba4a52c454a2664a621

SHA256
648121a2a47234504dd5e61bf1a98e910d74e68496b193f5d043cf963365d324

SHA512
a46ca847e16cf51c47e23003599572f3596c9306528abe92e07eb39f758afab308e3cdae0ad209e40728c98f4ad3f2f707384c9f55f452bb7bb674e12f8e06fa

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
be0cd43f6abaee5a479f24b025365a88

SHA1
4d5009afba50cdfd714014fc4240d5c8be1846a8

SHA256
f503f82913b56d3bf218e4a6acb2c84efb10b19ab9a7f485528290c7b2b67395

SHA512
85833fe84a962a8bc403aa33e00a984252bef714acb6bc8dd794cc087ae4f19c8e0da18d4aefe41e9809ba961b7d4450f3c42cfdb40ee80e4e1c57e600b1f350

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a54f54e54429078bcbdc9f0584398bc0

SHA1
09da87912927e1a65dee1e33dc12d1c646d825ee

SHA256
81e387ea3e458738182e983185d0aeec7b2de41ac95ba0db8d7f556ac4e702fc

SHA512
a42ca1b92e23be7f4f157c69740d4a0e9c9436fb3c7834c26c507fbd0d12488f982867c40801194048694425be9eda45b72e7213f074ffef2839382c5e3b90cd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
128KB

MD5
3e16c4dfa4f8742d80829f39e3eea7f3

SHA1
7b32f072e3f85fec4042b12936f48620f9c5721b

SHA256
86ce6947f558759ec29fed53d863a99f3934bcd2e03a84c7e5c4e683d4a40744

SHA512
8f11f8e1677a540db8e16f61cec8babfc3171c5d2a9b776209a4fb93d19d961aa9166d9e62e729c07f39987c9ce0f01564a83794b7589dd28835b5bff7e24f34

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
65977525032194782302fb74372e0bce

SHA1
be4d33e1020f51613dd58dde0564aa088ba09a22

SHA256
f11a15dff21527e4dbaf80b3d6a496aab2c8cb48190112215a14bfa486b549ac

SHA512
6d408f43879dc8e16be87198beab6ace35f124f8bf875d4c89448aa418e64a283e333dcb739b209a4d0444cd027be39b7efae618a306cf8020711b13103e960a

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
320KB

MD5
0f05844cac89cf901acda4c79c5adcc2

SHA1
224339969a20f7a25526bcd9447058ea74b08546

SHA256
6adb51a5676e2d5cea5466195798de23e7622e4d531bf54a8ad91667ec98d44d

SHA512
3f628f55099d3a7bf53356bcb37d6005370a7722dad8e8b5e1cdef5015fec44443c438ef13cb001243e97e195e201bd8c860033e219dfc66331b2121b9660c60

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
930ed8a7af2268deb097a20204b968dc

SHA1
8e65c6009d248ca678eb6f88b3f5838b0a2b8668

SHA256
66b89961aeeb20c56f0f5762185fd84d967a6add9453871bdea42fadc2ba2487

SHA512
a1d42abe9d2b4e16737775c83fbc0b5d226bbc314940509da22e708bc62943aff17af78844e25c3e97a83f102ca07769ec2d2aefc94703fa7b1e13276602e379

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b191d3f3e81743b0d777d249b11cc7db

SHA1
d3d8849dd196506cfb4249433b22b039d2cca5b6

SHA256
962c18fdf0af3bd0575622d927a144a81ce71049d5f21234bbc512b4e664bb58

SHA512
9d0f2a3c54a7888b8d98bcc38ea9ee602a7a20ebb4efb0f21339af4b629033f9d98112cd8b141c91c28108eeefb97d7e827e685bee91634bc35392ad6cdf0f12

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
512KB

MD5
59743ea5f0957b22c129c469d920306b

SHA1
d75427dd4f47e208553aab7dc10890ea10ca67aa

SHA256
bce511c2fe47064e7928474489310c930dd7b7a7d4cbc794fd299f6a99d808fe

SHA512
b7df00b2eed8cd2c2a33984669d5aacbe7cd3e156e3ae211d3d8da78b9cfb3b4e463ae2bcaf36b5b96529479f896a149894634a687efb194117652cb2cf0f5e9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
c4122c068294d46b4465f76239fc20f4

SHA1
76548f1a585a299545317506737e4aed045c160a

SHA256
de1fff09d3fb4fe0b4307abc4793db2edbea2fbf1053830f8011a563f36045cc

SHA512
21b56ce967d9a95782863a659e33cf4b564bd45498de36f9866d0cdc6d2399683cbb4ef49b397b3a3010c335d89903ad8c3ee4adcb1ed58fae78a06958fc4105

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
38ea08a2a7e5c0f3be73f230deeaab63

SHA1
6d95e3d179570ce43a8ccdf90d901677948a4119

SHA256
50fa53aca768bf9ce98141c17594e38cb33138c007f01a29776b3dacd8bbdd37

SHA512
7195766a9d83a453fb2521876e810d0c962a05c8df3e9a2f00ac3846f5cff32c3796c9e3593acfbbf455cf143b57de91af9a1195c9d8f327977fd0ab55b91d55

Download Submit
memory/216-23-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/216-84-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/216-12-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1376-65-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1376-57-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1376-78-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1376-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1376-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1512-131-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1512-45-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1512-51-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1512-44-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2992-2-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2992-31-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2992-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2992-0-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2992-7-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3140-69-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3140-110-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3140-76-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3140-70-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3140-115-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3628-305-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3628-306-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3628-292-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3628-300-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4780-83-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4780-105-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4780-172-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4780-93-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4864-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4864-106-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4864-30-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4864-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5136-335-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5136-252-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5136-274-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/5152-114-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/5152-129-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/5152-122-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/5152-128-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/5152-113-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/5188-316-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/5188-310-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5244-308-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5244-213-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5244-220-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/5388-134-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5388-141-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/5388-196-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5580-230-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5580-237-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5580-321-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5584-146-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5584-156-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/5584-211-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5712-160-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5712-168-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5712-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5808-248-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5808-272-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/5808-173-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5808-179-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/5992-184-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5992-287-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5992-278-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5992-192-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/6036-279-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/6036-347-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/6036-288-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/6068-197-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/6068-206-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/6068-291-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/6256-331-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/6256-323-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6380-337-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6380-343-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/6512-361-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/6512-349-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download